Initial NSS Open Source Checkin

17 files changed, 12578 insertions, 0 deletions

diff --git a/security/nss/lib/pki1/.cvsignore b/security/nss/lib/pki1/.cvsignore
new file mode 100644
index 000000000..12bfbfc7c
--- /dev/null
+++ b/security/nss/lib/pki1/.cvsignore
@@ -0,0 +1,3 @@
+oiddata.c
+oiddata.h
+
diff --git a/security/nss/lib/pki1/Makefile b/security/nss/lib/pki1/Makefile
new file mode 100644
index 000000000..03e1fb4c6
--- /dev/null
+++ b/security/nss/lib/pki1/Makefile
@@ -0,0 +1,38 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include config.mk
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
new file mode 100644
index 000000000..299ddfc0d
--- /dev/null
+++ b/security/nss/lib/pki1/atav.c
@@ -0,0 +1,1803 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * atav.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * AttributeTypeAndValue.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * AttributeTypeAndValue
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type            ATTRIBUTE.&id ({SupportedAttributes}),
+ *          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type})}
+ *  
+ *  -- ATTRIBUTE information object class specification
+ *  --  Note: This has been greatly simplified for PKIX !!
+ *  
+ *  ATTRIBUTE               ::=     CLASS {
+ *          &Type,
+ *          &id                     OBJECT IDENTIFIER UNIQUE }
+ *  WITH SYNTAX {
+ *          WITH SYNTAX &Type ID &id }
+ *  
+ * What this means is that the "type" of the value is determined by
+ * the value of the oid.  If we hide the structure, our accessors
+ * can (at least in debug builds) assert value semantics beyond what
+ * the compiler can provide.  Since these things are only used in
+ * RelativeDistinguishedNames, and since RDNs always contain a SET
+ * of these things, we don't lose anything by hiding the structure
+ * (and its size).
+ */
+
+struct NSSATAVStr {
+  NSSBER ber;
+  const NSSOID *oid;
+  NSSUTF8 *value;
+  nssStringType stringForm;
+};
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromBER(arenaOpt, berATAV);
+}
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromUTF8(arenaOpt, stringATAV);
+}
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Create(arenaOpt, oid, data, length);
+}
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Destroy(atav);
+}
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetDEREncoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetUTF8Encoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetType(atav);
+}
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetValue(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Compare(atav1, atav2, equalp);
+}
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Duplicate(atav, arenaOpt);
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker atav_pointer_tracker;
+
+static PRStatus
+atav_add_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+atav_remove_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ATAV);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+typedef struct {
+  NSSBER oid;
+  NSSBER value;
+} atav_holder;
+
+static const nssASN1Template nss_atav_template[] = {
+  { nssASN1_SEQUENCE, 0, NULL, sizeof(atav_holder) },
+  { nssASN1_OBJECT_ID, nsslibc_offsetof(atav_holder, oid), NULL, 0 },
+  { nssASN1_ANY, nsslibc_offsetof(atav_holder, value), NULL, 0 },
+  { 0, 0, NULL, 0 }
+};
+
+/*
+ * There are several common attributes, with well-known type aliases
+ * and value semantics.  This table lists the ones we recognize.
+ */
+
+struct nss_attribute_data_str {
+  const NSSOID **oid;
+  nssStringType stringType;
+  PRUint32 minStringLength;
+  PRUint32 maxStringLength; /* zero for no limit */
+};
+
+static const struct nss_attribute_data_str nss_attribute_data[] = {
+  { &NSS_OID_X520_NAME,                     
+    nssStringType_DirectoryString, 1, 32768 },
+  { &NSS_OID_X520_COMMON_NAME,              
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_SURNAME,                  
+    nssStringType_DirectoryString, 1,    40 },
+  { &NSS_OID_X520_GIVEN_NAME,               
+    nssStringType_DirectoryString, 1,    16 },
+  { &NSS_OID_X520_INITIALS,                 
+    nssStringType_DirectoryString, 1,     5 },
+  { &NSS_OID_X520_GENERATION_QUALIFIER,     
+    nssStringType_DirectoryString, 1,     3 },
+  { &NSS_OID_X520_DN_QUALIFIER,             
+    nssStringType_PrintableString, 1,     0 },
+  { &NSS_OID_X520_COUNTRY_NAME,             
+    nssStringType_PrintableString, 2,     2 },
+  { &NSS_OID_X520_LOCALITY_NAME,            
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_STATE_OR_PROVINCE_NAME,   
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_ORGANIZATION_NAME,        
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 
+    nssStringType_DirectoryString, 1,
+    /*
+     * Note, draft #11 defines both "32" and "64" for this maximum,
+     * in two separate places.  Until it's settled, "conservative
+     * in what you send."  We're always liberal in what we accept.
+     */
+                                         32 },
+  { &NSS_OID_X520_TITLE,                    
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_RFC1274_EMAIL,                 
+    nssStringType_PHGString,       1,   128 }
+};
+
+PRUint32 nss_attribute_data_quantity = 
+  (sizeof(nss_attribute_data)/sizeof(nss_attribute_data[0]));
+
+static nssStringType
+nss_attr_underlying_string_form
+(
+  nssStringType type,
+  void *data
+)
+{
+  if( nssStringType_DirectoryString == type ) {
+    PRUint8 tag = *(PRUint8 *)data;
+    switch( tag & nssASN1_TAGNUM_MASK ) {
+    case 20:
+      /*
+       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+       * below) but is T61 a suitable value for "Latin-1"?
+       */
+      return nssStringType_TeletexString;
+    case 19:
+      return nssStringType_PrintableString;
+    case 28:
+      return nssStringType_UniversalString;
+    case 30:
+      return nssStringType_BMPString;
+    case 12:
+      return nssStringType_UTF8String;
+    default:
+      return nssStringType_Unknown;
+    }
+  }
+
+  return type;
+}
+    
+
+/*
+ * This routine decodes the attribute value, in a type-specific way.
+ *
+ */
+
+static NSSUTF8 *
+nss_attr_to_utf8
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  NSSItem *item,
+  nssStringType *stringForm
+)
+{
+  NSSUTF8 *rv = (NSSUTF8 *)NULL;
+  PRUint32 i;
+  const struct nss_attribute_data_str *which = 
+    (struct nss_attribute_data_str *)NULL;
+  PRUint32 len = 0;
+
+  for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+    if( *(nss_attribute_data[ i ].oid) == oid ) {
+      which = &nss_attribute_data[i];
+      break;
+    }
+  }
+
+  if( (struct nss_attribute_data_str *)NULL == which ) {
+    /* Unknown OID.  Encode it as hex. */
+    PRUint8 *c;
+    PRUint8 *d = (PRUint8 *)item->data;
+    PRUint32 amt = item->size;
+
+    if( item->size >= 0x7FFFFFFF ) {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSUTF8 *)NULL;
+    }
+
+    len = 1 + (item->size * 2) + 1; /* '#' + hex + '\0' */
+    rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    c = (PRUint8 *)rv;
+    *c++ = '#'; /* XXX fgmr check this */
+    while( amt > 0 ) {
+      static char hex[16] = "0123456789ABCDEF";
+      *c++ = hex[ ((*d) & 0xf0) >> 4 ];
+      *c++ = hex[ ((*d) & 0x0f)      ];
+    }
+
+    /* *c = '\0'; nss_ZAlloc, remember */
+
+    *stringForm = nssStringType_Unknown; /* force exact comparison */
+  } else {
+    rv = nssUTF8_CreateFromBER(arenaOpt, which->stringType, 
+                               (NSSBER *)item);
+
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    if( PR_SUCCESS != nssUTF8_Length(rv, &len) ) {
+      nss_ZFreeIf(rv);
+      return (NSSUTF8 *)NULL;
+    }
+
+    *stringForm = nss_attr_underlying_string_form(which->stringType,
+                                                  item->data);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+)
+{
+  atav_holder holder;
+  PRStatus status;
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  status = nssASN1_DecodeBER(arenaOpt, &holder, 
+                             nss_atav_template, berATAV);
+  if( PR_SUCCESS != status ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = nssOID_CreateFromBER(&holder.oid);
+  if( (NSSOID *)NULL == rv->oid ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.oid.data);
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, berATAV->size);
+  if( (void *)NULL == rv->ber.data ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = berATAV->size;
+  (void)nsslibc_memcpy(rv->ber.data, berATAV->data, berATAV->size);
+
+  rv->value = nss_attr_to_utf8(arenaOpt, rv->oid, &holder.value,
+                               &rv->stringForm);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.value.data);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_add_pointer(rv) ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv->value);
+    nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+static PRBool
+nss_atav_utf8_string_is_hex
+(
+  const NSSUTF8 *s
+)
+{
+  /* All hex digits are ASCII, so this works */
+  PRUint8 *p = (PRUint8 *)s;
+
+  for( ; (PRUint8)0 != *p; p++ ) {
+    if( (('0' <= *p) && (*p <= '9')) ||
+        (('A' <= *p) && (*p <= 'F')) ||
+        (('a' <= *p) && (*p <= 'f')) ) {
+      continue;
+    } else {
+      return PR_FALSE;
+    }
+  }
+
+  return PR_TRUE;
+}
+
+static PRUint8
+nss_atav_fromhex
+(
+  PRUint8 *d
+)
+{
+  PRUint8 rv;
+
+  if( d[0] <= '9' ) {
+    rv = (d[0] - '0') * 16;
+  } else if( d[0] >= 'a' ) {
+    rv = (d[0] - 'a' + 10) * 16;
+  } else {
+    rv = (d[0] - 'A' + 10);
+  }
+
+  if( d[1] <= '9' ) {
+    rv += (d[1] - '0');
+  } else if( d[1] >= 'a' ) {
+    rv += (d[1] - 'a' + 10);
+  } else {
+    rv += (d[1] - 'A' + 10);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+)
+{
+  char *c;
+  NSSUTF8 *type;
+  NSSUTF8 *value;
+  PRUint32 i;
+  const NSSOID *oid = (NSSOID *)NULL;
+  NSSATAV *rv;
+  NSSItem xitem;
+
+  xitem.data = (void *)NULL;
+
+  for( c = (char *)stringATAV; '\0' != *c; c++ ) {
+    if( '=' == *c ) {
+#ifdef PEDANTIC
+      /*
+       * Theoretically, one could have an '=' in an 
+       * attribute string alias.  We don't, yet, though.
+       */
+      if( (char *)stringATAV == c ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        return (NSSATAV *)NULL;
+      } else {
+        if( '\\' == c[-1] ) {
+          continue;
+        }
+      }
+#endif /* PEDANTIC */
+      break;
+    }
+  }
+
+  if( '\0' == *c ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  } else {
+    c++;
+    value = (NSSUTF8 *)c;
+  }
+
+  i = ((NSSUTF8 *)c - stringATAV);
+  type = (NSSUTF8 *)nss_ZAlloc((NSSArena *)NULL, i);
+  if( (NSSUTF8 *)NULL == type ) {
+    return (NSSATAV *)NULL;
+  }
+
+  (void)nsslibc_memcpy(type, stringATAV, i-1);
+
+  c = (char *)stringATAV;
+  if( (('0' <= *c) && (*c <= '9')) || ('#' == *c) ) {
+    oid = nssOID_CreateFromUTF8(type);
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      return (NSSATAV *)NULL;
+    }
+  } else {
+    for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+      const nssAttributeTypeAliasTable *e = &nss_attribute_type_aliases[i];
+      PRBool match = PR_FALSE;
+      if( PR_SUCCESS != nssUTF8_CaseIgnoreMatch(type, e->alias, 
+                                                &match) ) {
+        nss_ZFreeIf(type);
+        return (NSSATAV *)NULL;
+      }
+      if( PR_TRUE == match ) {
+        oid = *(e->oid);
+        break;
+      }
+    }
+
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      nss_SetError(NSS_ERROR_UNKNOWN_ATTRIBUTE);
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  nss_ZFreeIf(type);
+  type = (NSSUTF8 *)NULL;
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = oid;
+
+  if( '#' == *value ) { /* XXX fgmr.. was it '#'?  or backslash? */
+    PRUint32 size;
+    PRUint32 len;
+    PRUint8 *c;
+    PRUint8 *d;
+    /* It's in hex */
+
+    value++;
+    if( PR_TRUE != nss_atav_utf8_string_is_hex(value) ) {
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    if( PR_SUCCESS != nssUTF8_Size(value, &size) ) {
+      /* 
+       * Only returns an error on bad pointer (nope) or string
+       * too long.  The defined limits for known attributes are
+       * small enough to fit in PRUint32, and when undefined we
+       * get to apply our own practical limits.  Ergo, I say the 
+       * string is invalid.
+       */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    if( ((size-1) & 1) ) {
+      /* odd length */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    len = (size-1)/2;
+
+    rv->value = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    xitem.size = len;
+    xitem.data = (void *)rv->value;
+
+    for( c = rv->value, d = value; len--; c++, d += 2 ) {
+      *c = nss_atav_fromhex(d);
+    }
+
+    *c = 0;
+  } else {
+    PRUint32 i, len;
+    PRUint8 *s;
+
+    /*
+     * XXX fgmr-- okay, this is a little wasteful, and should
+     * probably be abstracted out a bit.  Later.
+     */
+
+    rv->value = nssUTF8_Duplicate(value, arenaOpt);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    if( PR_SUCCESS != nssUTF8_Size(rv->value, &len) ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    s = (PRUint8 *)rv->value;
+    for( i = 0; i < len; i++ ) {
+      if( '\\' == s[i] ) {
+        (void)nsslibc_memcpy(&s[i], &s[i+1], len-i-1);
+      }
+    }
+  }
+
+  /* Now just BER-encode the baby and we're through.. */
+  {
+    const struct nss_attribute_data_str *which = 
+      (struct nss_attribute_data_str *)NULL;
+    PRUint32 i;
+    NSSArena *a;
+    NSSDER *oidder;
+    NSSItem *vitem;
+    atav_holder ah;
+    NSSDER *status;
+
+    for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+      if( *(nss_attribute_data[ i ].oid) == rv->oid ) {
+        which = &nss_attribute_data[i];
+        break;
+      }
+    }
+
+    a = NSSArena_Create();
+    if( (NSSArena *)NULL == a ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    oidder = nssOID_GetDEREncoding(rv->oid, a);
+    if( (NSSDER *)NULL == oidder ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    if( (struct nss_attribute_data_str *)NULL == which ) {
+      /*
+       * We'll just have to take the user data as an octet stream.
+       */
+      if( (void *)NULL == xitem.data ) {
+        /*
+         * This means that an ATTR entry has been added to oids.txt,
+         * but no corresponding entry has been added to the array
+         * ns_attribute_data[] above.
+         */
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssASN1_EncodeDER(a, (NSSDER *)NULL, &xitem, 
+                                nssASN1Template_OctetString);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      rv->stringForm = nssStringType_Unknown;
+    } else {
+      PRUint32 length = 0;
+      
+      if( PR_SUCCESS != nssUTF8_Length(rv->value, &length) ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( ((0 != which->minStringLength) && 
+           (length < which->minStringLength)) ||
+          ((0 != which->maxStringLength) &&
+           (length > which->maxStringLength)) ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssUTF8_GetDEREncoding(a, which->stringType, rv->value);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( nssStringType_DirectoryString == which->stringType ) {
+        rv->stringForm = nssStringType_UTF8String;
+      } else {
+        rv->stringForm = which->stringType;
+      }
+    }
+
+    ah.oid = *oidder;
+    ah.value = *vitem;
+
+    status = nssASN1_EncodeDER(arenaOpt, &rv->ber, &ah, 
+                               nss_atav_template);
+
+    if( (NSSDER *)NULL == status ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    (void)NSSArena_Destroy(a);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /* XXX fgmr-- oops, forgot this one */
+  return (NSSATAV *)NULL;
+}
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nss_ZFreeIf(atav->ber.data);
+  (void)nss_ZFreeIf(atav->value);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_remove_pointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSDER *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSDER);
+  if( (NSSDER *)NULL == rv ) {
+    return (NSSDER *)NULL;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = atav->ber.size;
+  if( PR_SUCCESS != nsslibc_memcpy(rv->data, atav->ber.data, 
+                                   rv->size) ) {
+    (void)nss_ZFreeIf(rv->data);
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 i;
+  const NSSUTF8 *alias = (NSSUTF8 *)NULL;
+  NSSUTF8 *oid;
+  NSSUTF8 *value;
+  PRUint32 oidlen;
+  PRUint32 valuelen;
+  PRUint32 totallen;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+    if( *(nss_attribute_type_aliases[i].oid) == atav->oid ) {
+      alias = nss_attribute_type_aliases[i].alias;
+      break;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    oid = nssOID_GetUTF8Encoding(atav->oid, (NSSArena *)NULL);
+    if( (NSSUTF8 *)NULL == oid ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    if( PR_SUCCESS != nssUTF8_Size(oid, &oidlen) ) {
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    if( PR_SUCCESS != nssUTF8_Size(alias, &oidlen) ) {
+      return (NSSUTF8 *)NULL;
+    }
+    oid = (NSSUTF8 *)NULL;
+  }
+
+  value = nssATAV_GetValue(atav, (NSSArena *)NULL);
+  if( (NSSUTF8 *)NULL == value ) {
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( PR_SUCCESS != nssUTF8_Size(value, &valuelen) ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  totallen = oidlen + valuelen - 1 + 1;
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, totallen);
+  if( (NSSUTF8 *)NULL == rv ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    if( (void *)NULL == nsslibc_memcpy(rv, oid, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    if( (void *)NULL == nsslibc_memcpy(rv, alias, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  rv[ oidlen-1 ] = '=';
+
+  if( (void *)NULL == nsslibc_memcpy(&rv[oidlen], value, valuelen) ) {
+    (void)nss_ZFreeIf(rv);
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  A valid NSSOID pointer upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return atav->oid;
+}
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a NSSUTF8 string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return nssUTF8_Duplicate(atav->value, arenaOpt);
+}
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nssStringType comparison;
+  PRUint32 len1;
+  PRUint32 len2;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( atav1->oid != atav2->oid ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  if( atav1->stringForm != atav2->stringForm ) {
+    if( (nssStringType_PrintableString == atav1->stringForm) ||
+        (nssStringType_PrintableString == atav2->stringForm) ) {
+      comparison = nssStringType_PrintableString;
+    } else if( (nssStringType_PHGString == atav1->stringForm) ||
+               (nssStringType_PHGString == atav2->stringForm) ) {
+      comparison = nssStringType_PHGString;
+    } else {
+      comparison = atav1->stringForm;
+    }
+  } else {
+    comparison = atav1->stringForm;
+  }
+
+  switch( comparison ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  case nssStringType_TeletexString:
+    break;
+  case nssStringType_PrintableString:
+    return nssUTF8_PrintableMatch(atav1->value, atav2->value, 
+                                  equalp);
+    /* Case-insensitive, with whitespace reduction */
+    break;
+  case nssStringType_UniversalString:
+    break;
+  case nssStringType_BMPString:
+    break;
+  case nssStringType_UTF8String:
+    break;
+  case nssStringType_PHGString:
+    /* Case-insensitive (XXX fgmr, actually see draft-11 pg. 21) */
+    return nssUTF8_CaseIgnoreMatch(atav1->value, atav2->value, 
+                                   equalp);
+  case nssStringType_Unknown:
+    break;
+  }
+  
+  if( PR_SUCCESS != nssUTF8_Size(atav1->value, &len1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssUTF8_Size(atav2->value, &len2) ) {
+    return PR_FAILURE;
+  }
+
+  if( len1 != len2 ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  return nsslibc_compare(atav1->value, atav2->value, len1, equalp);
+}
+
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = atav->oid;
+  rv->stringForm = atav->stringForm;
+  rv->value = nssUTF8_Duplicate(atav->value, arenaOpt);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->ber.data ) {
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = atav->ber.size;
+  if( PR_SUCCESS != nsslibc_memcpy(rv->ber.data, atav->ber.data, 
+                                   atav->ber.size) ) {
+    (void)nss_ZFreeIf(rv->ber.data);
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/pki1/config.mk b/security/nss/lib/pki1/config.mk
new file mode 100644
index 000000000..80b3135f4
--- /dev/null
+++ b/security/nss/lib/pki1/config.mk
@@ -0,0 +1,37 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
diff --git a/security/nss/lib/pki1/genname.c b/security/nss/lib/pki1/genname.c
new file mode 100644
index 000000000..e7b12806a
--- /dev/null
+++ b/security/nss/lib/pki1/genname.c
@@ -0,0 +1,94 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * genname.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralName ::= CHOICE {
+ *          otherName                   [0] INSTANCE OF OTHER-NAME,
+ *          rfc822Name                  [1] IA5String,
+ *          dNSName                     [2] IA5String,
+ *          x400Address                 [3] ORAddress,
+ *          directoryName               [4] Name,
+ *          ediPartyName                [5] EDIPartyName,
+ *          uniformResourceIdentifier   [6] IA5String,
+ *          iPAddress                   [7] OCTET STRING,
+ *          registeredID                [8] OBJECT IDENTIFIER }
+ *  
+ *  OTHER-NAME ::= TYPE-IDENTIFIER
+ *  
+ *  EDIPartyName ::= SEQUENCE {
+ *          nameAssigner        [0] DirectoryString {ub-name} OPTIONAL,
+ *          partyName           [1] DirectoryString {ub-name} }
+ *
+ */
+
+struct nssGeneralNameStr {
+  NSSGeneralNameChoice choice;
+  union {
+    /* OTHER-NAME otherName */
+    NSSUTF8 *rfc822Name;
+    NSSUTF8 *dNSName;
+    /* ORAddress x400Address */
+    NSSName *directoryName;
+    /* EDIPartyName ediPartyName */
+    NSSUTF8 *uniformResourceIdentifier;
+    NSSItem *iPAddress;
+    NSSOID *registeredID;
+  } u;
+};
diff --git a/security/nss/lib/pki1/gnseq.c b/security/nss/lib/pki1/gnseq.c
new file mode 100644
index 000000000..e56ec93b9
--- /dev/null
+++ b/security/nss/lib/pki1/gnseq.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * gnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralNames (note the ending 's').
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralNames (or, as we call it, GeneralNameSeq)
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * A GeneralNames is simply an (ordered) sequence of General Names.
+ * The seqSize variable is  "helper" kept for simplicity.
+ */
+
+struct nssGeneralNameSeqStr {
+  PRUint32 seqSize;
+  NSSGeneralName **generalNames;
+};
diff --git a/security/nss/lib/pki1/manifest.mn b/security/nss/lib/pki1/manifest.mn
new file mode 100644
index 000000000..8e032d974
--- /dev/null
+++ b/security/nss/lib/pki1/manifest.mn
@@ -0,0 +1,63 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	pki1.h		  \
+	pki1t.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	oiddata.h  \
+	nsspki1.h  \
+	nsspki1t.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		  \
+	atav.c	  \
+	genname.c \
+	gnseq.c	  \
+	name.c	  \
+	oid.c	  \
+	oiddata.c \
+	rdn.c	  \
+	rdnseq.c  \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = pki1
diff --git a/security/nss/lib/pki1/name.c b/security/nss/lib/pki1/name.c
new file mode 100644
index 000000000..558e1142f
--- /dev/null
+++ b/security/nss/lib/pki1/name.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * name.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * Name.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * Name
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  -- naming data types --
+ *  
+ *  Name            ::=     CHOICE { -- only one possibility for now --
+ *                                          rdnSequence  RDNSequence }
+ *
+ * A name is basically a union of the possible names.  At the moment,
+ * there is only one type of name: an RDNSequence.
+ */
+
+struct nssNameStr {
+  PRUint32 tagPlaceHolder;
+  union {
+    NSSRDNSeq *rdnSequence;
+  } n;
+};
+
diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h
new file mode 100644
index 000000000..3498ab520
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1.h
@@ -0,0 +1,2869 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKI1_H
+#define NSSPKI1_H
+
+#ifdef DEBUG
+static const char NSSPKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1.h
+ *
+ * This file contains the prototypes of the public NSS routines 
+ * dealing with the PKIX part-1 definitions.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+#ifndef OIDDATA_H
+#include "oiddata.h"
+#endif /* OIDDATA_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+ */
+
+extern const NSSOID *NSS_OID_UNKNOWN;
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *derATAV
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+);
+
+extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns an NSSItem containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSRDN
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDN_CreateFromBER   -- constructor
+ *  NSSRDN_CreateFromUTF8  -- constructor
+ *  NSSRDN_Create          -- constructor
+ *  NSSRDN_CreateSimple    -- constructor
+ *
+ *  NSSRDN_Destroy
+ *  NSSRDN_GetDEREncoding
+ *  NSSRDN_GetUTF8Encoding
+ *  NSSRDN_AddATAV
+ *  NSSRDN_GetATAVCount
+ *  NSSRDN_GetATAV
+ *  NSSRDN_GetSimpleATAV
+ *  NSSRDN_Compare
+ *  NSSRDN_Duplicate
+ */
+
+/*
+ * NSSRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * NSSRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * NSSRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * NSSRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDNSeq_CreateFromBER   -- constructor
+ *  NSSRDNSeq_CreateFromUTF8  -- constructor
+ *  NSSRDNSeq_Create          -- constructor
+ *
+ *  NSSRDNSeq_Destroy
+ *  NSSRDNSeq_GetDEREncoding
+ *  NSSRDNSeq_GetUTF8Encoding
+ *  NSSRDNSeq_AppendRDN
+ *  NSSRDNSeq_GetRDNCount
+ *  NSSRDNSeq_GetRDN
+ *  NSSRDNSeq_Compare
+ *  NSSRDNSeq_Duplicate
+ */
+
+/*
+ * NSSRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * NSSRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * NSSRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * NSSRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.  Note that the 
+ * usual string representation of RDN Sequences is from last to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSName_CreateFromBER   -- constructor
+ * NSSName_CreateFromUTF8  -- constructor
+ * NSSName_Create          -- constructor
+ *
+ * NSSName_Destroy
+ * NSSName_GetDEREncoding
+ * NSSName_GetUTF8Encoding
+ * NSSName_GetChoice
+ * NSSName_GetRDNSequence
+ * NSSName_GetSpecifiedChoice
+ * NSSName_Compare
+ * NSSName_Duplicate
+ *
+ * NSSName_GetUID
+ * NSSName_GetEmail
+ * NSSName_GetCommonName
+ * NSSName_GetOrganization
+ * NSSName_GetOrganizationalUnits
+ * NSSName_GetStateOrProvince
+ * NSSName_GetLocality
+ * NSSName_GetCountry
+ * NSSName_GetAttribute
+ */
+
+/*
+ * NSSName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have created an error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * NSSName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * NSSName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+NSSName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+NSSName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * NSSName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+NSSName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have created an 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSGeneralName_CreateFromBER   -- constructor
+ * NSSGeneralName_CreateFromUTF8  -- constructor
+ * NSSGeneralName_Create          -- constructor
+ *
+ * NSSGeneralName_Destroy
+ * NSSGeneralName_GetDEREncoding
+ * NSSGeneralName_GetUTF8Encoding
+ * NSSGeneralName_GetChoice
+ * NSSGeneralName_GetOtherName
+ * NSSGeneralName_GetRfc822Name
+ * NSSGeneralName_GetDNSName
+ * NSSGeneralName_GetX400Address
+ * NSSGeneralName_GetDirectoryName
+ * NSSGeneralName_GetEdiPartyName
+ * NSSGeneralName_GetUniformResourceIdentifier
+ * NSSGeneralName_GetIPAddress
+ * NSSGeneralName_GetRegisteredID
+ * NSSGeneralName_GetSpecifiedChoice
+ * NSSGeneralName_Compare
+ * NSSGeneralName_Duplicate
+ *
+ * NSSGeneralName_GetUID
+ * NSSGeneralName_GetEmail
+ * NSSGeneralName_GetCommonName
+ * NSSGeneralName_GetOrganization
+ * NSSGeneralName_GetOrganizationalUnits
+ * NSSGeneralName_GetStateOrProvince
+ * NSSGeneralName_GetLocality
+ * NSSGeneralName_GetCountry
+ * NSSGeneralName_GetAttribute
+ */
+
+/*
+ * NSSGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * NSSGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * NSSGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+NSSGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+NSSGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+NSSGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+NSSGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+NSSGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+NSSGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+NSSGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+NSSGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+NSSGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+NSSGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSGeneralNameSeq_CreateFromBER   -- constructor
+ *  NSSGeneralNameSeq_Create          -- constructor
+ *
+ *  NSSGeneralNameSeq_Destroy
+ *  NSSGeneralNameSeq_GetDEREncoding
+ *  NSSGeneralNameSeq_AppendGeneralName
+ *  NSSGeneralNameSeq_GetGeneralNameCount
+ *  NSSGeneralNameSeq_GetGeneralName
+ *  NSSGeneralNameSeq_Compare
+ *  NSSGeneralnameSeq_Duplicate
+ */
+
+/*
+ * NSSGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * NSSGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will create an error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSPT1M_H */
diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h
new file mode 100644
index 000000000..8765a3ad3
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1t.h
@@ -0,0 +1,202 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKI1T_H
+#define NSSPKI1T_H
+
+#ifdef DEBUG
+static const char NSSPKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1t.h
+ *
+ * This file contains the public type definitions for the PKIX part-1
+ * objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * OBJECT IDENTIFIER
+ *
+ * This is the basic OID that crops up everywhere.
+ */
+
+struct NSSOIDStr;
+typedef struct NSSOIDStr NSSOID;
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNamess consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ */
+
+struct NSSATAVStr;
+typedef struct NSSATAVStr NSSATAV;
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ */
+
+struct NSSRDNStr;
+typedef struct NSSRDNStr NSSRDN;
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ */
+
+struct NSSRDNSeqStr;
+typedef struct NSSRDNSeqStr NSSRDNSeq;
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ */
+
+struct NSSNameStr;
+typedef struct NSSNameStr NSSName;
+
+/*
+ * NameChoice
+ *
+ * This enumeration is used to specify choice within a name.
+ */
+
+enum NSSNameChoiceEnum {
+  NSSNameChoiceInvalid = -1,
+  NSSNameChoiceRdnSequence
+};
+typedef enum NSSNameChoiceEnum NSSNameChoice;
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ */
+
+struct NSSGeneralNameStr;
+typedef struct NSSGeneralNameStr NSSGeneralName;
+
+/*
+ * GeneralNameChoice
+ *
+ * This enumerates the possible general name types.
+ */
+
+enum NSSGeneralNameChoiceEnum {
+  NSSGeneralNameChoiceInvalid = -1,
+  NSSGeneralNameChoiceOtherName = 0,
+  NSSGeneralNameChoiceRfc822Name = 1,
+  NSSGeneralNameChoiceDNSName = 2,
+  NSSGeneralNameChoiceX400Address = 3,
+  NSSGeneralNameChoiceDirectoryName = 4,
+  NSSGeneralNameChoiceEdiPartyName = 5,
+  NSSGeneralNameChoiceUniformResourceIdentifier = 6,
+  NSSGeneralNameChoiceIPAddress = 7,
+  NSSGeneralNameChoiceRegisteredID = 8
+};
+typedef enum NSSGeneralNameChoiceEnum NSSGeneralNameChoice;
+
+/*
+ * The "other" types of general names.
+ */
+
+struct NSSOtherNameStr;
+typedef struct NSSOtherNameStr NSSOtherName;
+
+struct NSSRFC822NameStr;
+typedef struct NSSRFC822NameStr NSSRFC822Name;
+
+struct NSSDNSNameStr;
+typedef struct NSSDNSNameStr NSSDNSName;
+
+struct NSSX400AddressStr;
+typedef struct NSSX400AddressStr NSSX400Address;
+
+struct NSSEdiPartyNameStr;
+typedef struct NSSEdiPartyNameStr NSSEdiPartyName;
+
+struct NSSURIStr;
+typedef struct NSSURIStr NSSURI;
+
+struct NSSIPAddressStr;
+typedef struct NSSIPAddressStr NSSIPAddress;
+
+struct NSSRegisteredIDStr;
+typedef struct NSSRegisteredIDStr NSSRegisteredID;
+
+/*
+ * GeneralNameSeq
+ *
+ * This structure contains a sequence of GeneralName objects.
+ * Note that the PKIX documents refer to this as "GeneralNames,"
+ * which differs from "GeneralName" by only one letter.  To
+ * try to reduce confusion, we expand the name slightly to
+ * "GeneralNameSeq."
+ */
+
+struct NSSGeneralNameSeqStr;
+typedef struct NSSGeneralNameSeqStr NSSGeneralNameSeq;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKI1T_H */
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
new file mode 100644
index 000000000..c4028a803
--- /dev/null
+++ b/security/nss/lib/pki1/oid.c
@@ -0,0 +1,1615 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * oid.c
+ *
+ * This file contains the implementation of the basic OID routines.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+#include "plhash.h"
+#include "plstr.h"
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+const NSSOID *NSS_OID_UNKNOWN = (NSSOID *)NULL;
+
+/*
+ * First, the public "wrappers"
+ */
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berOid ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  if( (void *)NULL == berOid->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+  
+  return nssOID_CreateFromBER(berOid);
+}
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringOid ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssOID_CreateFromUTF8(stringOid);
+}
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt);
+}
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetUTF8Encoding(oid, arenaOpt);
+}
+
+/*
+ * Next, some internal bookkeeping; including the OID "tag" table 
+ * and the debug-version pointer tracker.
+ */
+
+/*
+ * For implementation reasons (so NSSOIDs can be compared with ==),
+ * we hash all NSSOIDs.  This is the hash table.
+ */
+
+static PLHashTable *oid_hash_table;
+
+/*
+ * And this is its lock.
+ */
+
+static PRLock *oid_hash_lock;
+
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+
+static PR_CALLBACK PLHashNumber
+oid_hash
+(
+  const void *key
+)
+{
+  const NSSItem *item = (const NSSItem *)key;
+  PLHashNumber rv = 0;
+
+  PRUint8 *data = (PRUint8 *)item->data;
+  PRUint32 i;
+  PRUint8 *rvc = (PRUint8 *)&rv;
+
+  for( i = 0; i < item->size; i++ ) {
+    rvc[ i % sizeof(rv) ] ^= *data;
+    data++;
+  }
+
+  return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the encoded OID form.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+
+static PR_CALLBACK PRIntn
+oid_hash_compare
+(
+  const void *k1,
+  const void *k2
+)
+{
+  PRIntn rv;
+
+  const NSSItem *i1 = (const NSSItem *)k1;
+  const NSSItem *i2 = (const NSSItem *)k2;
+
+  PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
+
+  rv = (PRIntn)nsslibc_memcmp(i1->data, i2->data, size, (PRStatus *)NULL);
+  if( 0 == rv ) {
+    rv = i1->size - i2->size;
+  }
+
+  return !rv;
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker oid_pointer_tracker;
+
+static PRStatus
+oid_add_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+#if defined(CAN_DELETE_OIDS)
+/*
+ * We actually don't define NSSOID deletion, since we keep OIDs
+ * in a hash table for easy comparison.  Were we to, this is
+ * what the pointer-removal function would look like.
+ */
+
+static PRStatus
+oid_remove_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+#endif /* CAN_DELETE_OIDS */
+
+#endif /* DEBUG */
+
+/*
+ * All dynamically-added OIDs get their memory from one statically-
+ * declared arena here, merely so that any cleanup code will have
+ * an easier time of it.
+ */
+
+static NSSArena *oid_arena;
+
+/*
+ * This is the call-once function which initializes the hashtable.
+ * It creates it, then prepopulates it with all of the builtin OIDs.
+ * It also creates the aforementioned NSSArena.
+ */
+
+static PR_CALLBACK PRStatus
+oid_once_func
+(
+  void
+)
+{
+  PRUint32 i;
+  
+  /* Initialize the arena */
+  oid_arena = nssArena_Create();
+  if( (NSSArena *)NULL == oid_arena ) {
+    goto loser;
+  }
+
+  /* Create the hash table lock */
+  oid_hash_lock = PR_NewLock();
+  if( (PRLock *)NULL == oid_hash_lock ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* Create the hash table */
+  oid_hash_table = PL_NewHashTable(0, oid_hash, oid_hash_compare,
+                                   PL_CompareValues, 
+                                   (PLHashAllocOps *)0,
+                                   (void *)0);
+  if( (PLHashTable *)NULL == oid_hash_table ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* And populate it with all the builtins */
+  for( i = 0; i < nss_builtin_oid_count; i++ ) {
+    NSSOID *oid = (NSSOID *)&nss_builtin_oids[i];
+    PLHashEntry *e = PL_HashTableAdd(oid_hash_table, &oid->data, oid);
+    if( (PLHashEntry *)NULL == e ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      goto loser;
+    }
+
+#ifdef DEBUG
+    if( PR_SUCCESS != oid_add_pointer(oid) ) {
+      goto loser;
+    }
+#endif /* DEBUG */
+  }
+
+  return PR_SUCCESS;
+
+ loser:
+  if( (PLHashTable *)NULL != oid_hash_table ) {
+    PL_HashTableDestroy(oid_hash_table);
+    oid_hash_table = (PLHashTable *)NULL;
+  }
+
+  if( (PRLock *)NULL != oid_hash_lock ) {
+    PR_DestroyLock(oid_hash_lock);
+    oid_hash_lock = (PRLock *)NULL;
+  }
+
+  if( (NSSArena *)NULL != oid_arena ) {
+    (void)nssArena_Destroy(oid_arena);
+    oid_arena = (NSSArena *)NULL;
+  }
+
+  return PR_FAILURE;
+}
+
+/*
+ * This is NSPR's once-block.
+ */
+
+static PRCallOnceType oid_call_once;
+
+/*
+ * And this is our multiply-callable internal init routine, which
+ * will call-once our call-once function.
+ */
+
+static PRStatus
+oid_init
+(
+  void
+)
+{
+  return PR_CallOnce(&oid_call_once, oid_once_func);
+}
+
+#ifdef DEBUG
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = oid_init();
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_NSSOID);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * oid_sanity_check_ber
+ *
+ * This routine merely applies some sanity-checking to the BER-encoded
+ * OID.
+ */
+
+static PRStatus
+oid_sanity_check_ber
+(
+  NSSBER *berOid
+)
+{
+  PRUint32 i;
+  PRUint8 *data = (PRUint8 *)berOid->data;
+
+  /*
+   * The size must be longer than zero bytes.
+   */
+
+  if( berOid->size <= 0 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In general, we can't preclude any number from showing up
+   * someday.  We could probably guess that top-level numbers
+   * won't get very big (beyond the current ccitt(0), iso(1),
+   * or joint-ccitt-iso(2)).  However, keep in mind that the
+   * encoding rules wrap the first two numbers together, as
+   *
+   *     (first * 40) + second
+   *
+   * Also, it is noted in the specs that this implies that the
+   * second number won't go above forty.
+   *
+   * 128 encodes 3.8, which seems pretty safe for now.  Let's
+   * check that the first byte is less than that.
+   *
+   * XXX This is a "soft check" -- we may want to exclude it.
+   */
+
+  if( data[0] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In a normalised format, leading 0x80s will never show up.
+   * This means that no 0x80 will be preceeded by the final
+   * byte of a sequence, which would naturaly be less than 0x80.
+   * Our internal encoding for the single-digit OIDs uses 0x80,
+   * but the only places we use them (loading the builtin table,
+   * and adding a UTF8-encoded OID) bypass this check.
+   */
+
+  for( i = 1; i < berOid->size; i++ ) {
+    if( (0x80 == data[i]) && (data[i-1] < 0x80) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The high bit of each octet indicates that following octets
+   * are included in the current number.  Thus the last byte can't
+   * have the high bit set.
+   */
+
+  if( data[ berOid->size-1 ] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Other than that, any byte sequence is legit.
+   */
+  return PR_SUCCESS;
+}
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  NSSOID *rv;
+  PLHashEntry *e;
+  
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PR_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, berOid);
+  (void)PR_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Found it! */
+    return rv;
+  }
+
+  /*
+   * Doesn't exist-- create it.
+   */
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, berOid->size);
+  if( (void *)NULL == rv->data.data ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.size = berOid->size;
+  nsslibc_memcpy(rv->data.data, berOid->data, berOid->size);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PR_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PR_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_ZFreeIf(rv->data.data);
+    nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSOID *)NULL;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PR_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PR_Unlock(oid_hash_lock);
+      (void)nss_ZFreeIf(rv->data.data);
+      (void)nss_ZFreeIf(rv);
+      return (NSSOID *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * oid_sanity_check_utf8
+ *
+ * This routine merely applies some sanity-checking to the 
+ * UTF8-encoded OID.
+ */
+
+static PRStatus
+oid_sanity_check_utf8
+(
+  NSSUTF8 *s
+)
+{
+  /*
+   * It may begin with an octothorpe, which we skip.
+   */
+
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /*
+   * It begins with a number
+   */
+
+  if( (*s < '0') || (*s > '9') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * First number is only one digit long
+   *
+   * XXX This is a "soft check" -- we may want to exclude it
+   */
+
+  if( (s[1] != '.') && (s[1] != '\0') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Every character is either a digit or a period
+   */
+
+  for( ; '\0' != *s; s++ ) {
+    if( ('.' != *s) && ((*s < '0') || (*s > '9')) ) {
+      return PR_FAILURE;
+    }
+
+    /* No two consecutive periods */
+    if( ('.' == *s) && ('.' == s[1]) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The last character isn't a period
+   */
+
+  if( '.' == *--s ) {
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRUint32
+oid_encode_number
+(
+  PRUint32 n,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 a[5];
+  PRUint32 i;
+  PRUint32 rv;
+
+  a[0] = (n >> 28) & 0x7f;
+  a[1] = (n >> 21) & 0x7f;
+  a[2] = (n >> 14) & 0x7f;
+  a[3] = (n >>  7) & 0x7f;
+  a[4] =  n        & 0x7f;
+
+  for( i = 0; i < 5; i++ ) {
+    if( 0 != a[i] ) {
+      break;
+    }
+  }
+
+  if( 5 == i ) {
+    i--;
+  }
+
+  rv = 5-i;
+  if( rv > nb ) {
+    return rv;
+  }
+
+  for( ; i < 4; i++ ) {
+    *dp = 0x80 | a[i];
+    dp++;
+  }
+
+  *dp = a[4];
+
+  return rv;
+}
+
+/*
+ * oid_encode_huge
+ *
+ * This routine will convert a huge decimal number into the DER 
+ * encoding for oid numbers.  It is not limited to numbers that will
+ * fit into some wordsize, like oid_encode_number.  But it's not
+ * necessarily very fast, either.  This is here in case some joker
+ * throws us an ASCII oid like 1.2.3.99999999999999999999999999.
+ */
+
+static PRUint32
+oid_encode_huge
+(
+  NSSUTF8 *s,
+  NSSUTF8 *e,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 slen = (e-s);
+  PRUint32 blen = (slen+1)/2;
+  PRUint8 *st = (PRUint8 *)NULL;
+  PRUint8 *bd = (PRUint8 *)NULL;
+  PRUint32 i;
+  PRUint32 bitno;
+  PRUint8 *last;
+  PRUint8 *first;
+  PRUint32 byteno;
+  PRUint8 mask;
+
+  /* We'll be munging the data, so duplicate it */
+  st = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, slen);
+  if( (PRUint8 *)NULL == st ) {
+    return 0;
+  }
+
+  /* Don't know ahead of time exactly how long we'll need */
+  bd = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, blen);
+  if( (PRUint8 *)NULL == bd ) {
+    (void)nss_ZFreeIf(st);
+    return 0;
+  }
+
+  /* Copy the original, and convert ASCII to numbers */
+  for( i = 0; i < slen; i++ ) {
+    st[i] = (PRUint8)(s[i] - '0');
+  }
+
+  last = &st[slen-1];
+  first = &st[0];
+
+  /*
+   * The way we create the binary version is by looking at it 
+   * bit by bit.  Start with the least significant bit.  If the
+   * number is odd, set that bit.  Halve the number (with integer
+   * division), and go to the next least significant bit.  Keep 
+   * going until the number goes to zero.
+   */
+  for( bitno = 0; ; bitno++ ) {
+    PRUint8 *d;
+
+    byteno = bitno/7;
+    mask = (PRUint8)(1 << (bitno%7));
+
+    /* Skip leading zeroes */
+    for( ; first < last; first ++ ) {
+      if( 0 != *first ) {
+        break;
+      }
+    }
+
+    /* Down to one number and it's a zero?  Done. */
+    if( (first == last) && (0 == *last) ) {
+      break;
+    }
+
+    /* Last digit is odd?  Set the bit */
+    if( *last & 1 ) {
+      bd[ byteno ] |= mask;
+    }
+
+
+    /* 
+     * Divide the number in half.  This is just a matter
+     * of going from the least significant digit upwards,
+     * halving each one.  If any digit is odd (other than
+     * the last, which has already been handled), add five
+     * to the digit to its right.
+     */
+    *last /= 2;
+
+    for( d = &last[-1]; d >= first; d-- ) {
+      if( *d & 1 ) {
+        d[1] += 5;
+      }
+
+      *d /= 2;
+    }
+  }
+
+  /* Is there room to write the encoded data? */
+  if( (byteno+1) > nb ) {
+    return (byteno+1);
+  }
+
+  /* Trim any leading zero that crept in there */
+  for( ; byteno > 0; byteno-- ) {
+    if( 0 != bd[ byteno ] ) {
+      break;
+    }
+  }
+
+  /* Copy all but the last, marking the "continue" bit */
+  for( i = 0; i < byteno; i++ ) {
+    dp[i] = bd[ byteno-i ] | 0x80;
+  }
+  /* And the last with the "continue" bit clear */
+  dp[byteno] = bd[0];
+
+  (void)nss_ZFreeIf(bd);
+  (void)nss_ZFreeIf(st);
+  return (byteno+1);
+}
+
+/*
+ * oid_encode_string
+ *
+ * This routine converts a dotted-number OID into a DER-encoded
+ * one.  It assumes we've already sanity-checked the string.
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static NSSOID *
+oid_encode_string
+(
+  NSSUTF8 *s
+)
+{
+  PRUint32 nn = 0; /* number of numbers */
+  PRUint32 nb = 0; /* number of bytes (estimated) */
+  NSSUTF8 *t;
+  PRUint32 nd = 0; /* number of digits */
+  NSSOID *rv;
+  PRUint8 *dp;
+  PRUint32 a, b;
+  PRUint32 inc;
+
+  /* Dump any octothorpe */
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /* Count up the bytes needed */
+  for( t = s; '\0' != *t; t++ ) {
+    if( '.' == *t ) {
+      nb += (nd+1)/2; /* errs on the big side */
+      nd = 0;
+      nn++;
+    } else {
+      nd++;
+    }
+  }
+  nb += (nd+1)/2;
+  nn++;
+
+  if( 1 == nn ) {
+    /*
+     * We have our own "denormalised" encoding for these,
+     * which is only used internally.
+     */
+    nb++;
+  }
+
+  /* 
+   * Allocate.  Note that we don't use the oid_arena here.. this is
+   * because there really isn't a "free()" for stuff allocated out of
+   * arenas (at least with the current implementation), so this would
+   * keep using up memory each time a UTF8-encoded OID were added.
+   * If need be (if this is the first time this oid has been seen),
+   * we'll copy it.
+   */
+  rv = nss_ZNEW((NSSArena *)NULL, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc((NSSArena *)NULL, nb);
+  if( (void *)NULL == rv->data.data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSOID *)NULL;
+  }
+
+  dp = (PRUint8 *)rv->data.data;
+
+  a = atoi(s);
+
+  if( 1 == nn ) {
+    dp[0] = '\x80';
+    inc = oid_encode_number(a, &dp[1], nb-1);
+    if( inc >= nb ) {
+      goto loser;
+    }
+  } else {
+    for( t = s; '.' != *t; t++ ) {
+      ;
+    }
+
+    t++;
+    b = atoi(t);
+    inc = oid_encode_number(a*40+b, dp, nb);
+    if( inc > nb ) {
+      goto loser;
+    }
+    dp += inc;
+    nb -= inc;
+    nn -= 2;
+
+    while( nn-- > 0 ) {
+      NSSUTF8 *u;
+
+      for( ; '.' != *t; t++ ) {
+        ;
+      }
+
+      t++;
+
+      for( u = t; ('\0' != *u) && ('.' != *u); u++ ) {
+        ;
+      }
+
+      if( (u-t > 9) ) {
+        /* In the billions.  Rats. */
+        inc = oid_encode_huge(t, u, dp, nb);
+      } else {
+        b = atoi(t);
+        inc = oid_encode_number(b, dp, nb);
+      }
+
+      if( inc > nb ) {
+        goto loser;
+      }
+      dp += inc;
+      nb -= inc;
+    }
+  }
+
+  return rv;
+
+ loser:
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  NSSOID *rv = (NSSOID *)NULL;
+  NSSOID *candidate = (NSSOID *)NULL;
+  PLHashEntry *e;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSOID *)NULL;
+  }
+
+  candidate = oid_encode_string(stringOid);
+  if( (NSSOID *)NULL == candidate ) {
+    /* Internal error only */
+    return rv;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PR_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, &candidate->data);
+  (void)PR_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Already exists.  Delete my copy and return the original. */
+    (void)nss_ZFreeIf(candidate->data.data);
+    (void)nss_ZFreeIf(candidate);
+    return rv;
+  }
+
+  /* 
+   * Nope.  Add it.  Remember to allocate it out of the oid arena.
+   */
+
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, candidate->data.size);
+  if( (void *)NULL == rv->data.data ) {
+    goto loser;
+  }
+
+  rv->data.size = candidate->data.size;
+  nsslibc_memcpy(rv->data.data, candidate->data.data, rv->data.size);
+
+  (void)nss_ZFreeIf(candidate->data.data);
+  (void)nss_ZFreeIf(candidate);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PR_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PR_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PR_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PR_Unlock(oid_hash_lock);
+      goto loser;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (NSSOID *)NULL != candidate ) {
+    (void)nss_ZFreeIf(candidate->data.data);
+  }
+  (void)nss_ZFreeIf(candidate);
+
+  if( (NSSOID *)NULL != rv ) {
+    (void)nss_ZFreeIf(rv->data.data);
+  }
+  (void)nss_ZFreeIf(rv);
+
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  const NSSItem *it;
+  NSSDER *rv;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSDER *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  it = &oid->data;
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, it->size);
+  if( (void *)NULL == rv->data ) {
+    if( rv != rvOpt ) {
+      (void)nss_ZFreeIf(rv);
+    }
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = it->size;
+  nsslibc_memcpy(rv->data, it->data, it->size);
+
+  return rv;
+}
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint8 *end;
+  PRUint8 *d;
+  PRUint8 *e;
+  char *a;
+  char *b;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = (char *)NULL;
+
+  /* d will point to the next sequence of bytes to decode */
+  d = (PRUint8 *)oid->data.data;
+  /* end points to one past the legitimate data */
+  end = &d[ oid->data.size ];
+
+#ifdef NSSDEBUG
+  /*
+   * Guarantee that the for(e=d;e<end;e++) loop below will
+   * terminate.  Our BER sanity-checking code above will prevent
+   * such a BER from being registered, so the only other way one
+   * might show up is if our dotted-decimal encoder above screws
+   * up or our generated list is wrong.  So I'll wrap it with
+   * #ifdef NSSDEBUG and #endif.
+   */
+  if( end[-1] & 0x80 ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Check for our pseudo-encoded single-digit OIDs
+   */
+  if( (*d == 0x80) && (2 == oid->data.size) ) {
+    /* Funky encoding.  The second byte is the number */
+    a = PR_smprintf("%lu", (PRUint32)d[1]);
+    if( (char *)NULL == a ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+    goto done;
+  }
+
+  for( ; d < end; d = &e[1] ) {
+    
+    for( e = d; e < end; e++ ) {
+      if( 0 == (*e & 0x80) ) {
+        break;
+      }
+    }
+    
+    if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
+      /* More than a 32-bit number */
+    } else {
+      PRUint32 n = 0;
+      
+      switch( e-d ) {
+      case 4:
+        n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
+      case 3:
+        n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
+      case 2:
+        n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
+      case 1:
+        n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
+      case 0:
+        n |= ((PRUint32)(e[-0] & 0x7f))      ;
+      }
+      
+      if( (char *)NULL == a ) {
+        /* This is the first number.. decompose it */
+        PRUint32 one = (n/40), two = (n%40);
+        
+        a = PR_smprintf("%lu.%lu", one, two);
+        if( (char *)NULL == a ) {
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+      } else {
+        b = PR_smprintf("%s.%lu", a, n);
+        if( (char *)NULL == b ) {
+          PR_smprintf_free(a);
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+        
+        PR_smprintf_free(a);
+        a = b;
+      }
+    }
+  }
+
+ done:
+  /*
+   * Even if arenaOpt is NULL, we have to copy the data so that
+   * it'll be freed with the right version of free: ours, not
+   * PR_smprintf_free's.
+   */
+  len = PL_strlen(a);
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(a);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, a, len);
+  PR_smprintf_free(a);
+
+  return rv;
+}
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const NSSUTF8 *
+nssOID_getExplanation
+(
+  NSSOID *oid
+)
+{
+  if( PR_SUCCESS != oid_init() ) {
+    return (const NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return oid->expl;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  char *raw;
+  char *c;
+  char *a = (char *)NULL;
+  char *b;
+  PRBool done = PR_FALSE;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = PR_smprintf("{");
+  if( (char *)NULL == a ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  /*
+   * What I'm doing here is getting the text version of the OID,
+   * e.g. 1.2.12.92, then looking up each set of leading numbers
+   * as oids.. e.g. "1," then "1.2," then "1.2.12," etc.  Each of
+   * those will have the leaf tag, and I just build up the string.
+   * I never said this was the most efficient way of doing it,
+   * but hey it's a debug-build thing, and I'm getting really tired
+   * of writing this stupid low-level PKI code.
+   */
+
+  /* I know it's all ASCII, so I can use char */
+  raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL);
+  if( (char *)NULL == raw ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  for( c = raw; !done; c++ ) {
+    NSSOID *lead;
+    char *lastdot;
+
+    for( ; '.' != *c; c++ ) {
+      if( '\0' == *c ) {
+        done = PR_TRUE;
+        break;
+      }
+    }
+
+    *c = '\0';
+    lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw);
+    if( (NSSOID *)NULL == lead ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    lastdot = PL_strrchr(raw, '.');
+    if( (char *)NULL == lastdot ) {
+      lastdot = raw;
+    }
+
+    b = PR_smprintf("%s %s(%s) ", a, lead->tag, &lastdot[1]);
+    if( (char *)NULL == b ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      /* drop the OID reference on the floor */
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    PR_smprintf_free(a);
+    a = b;
+
+    if( !done ) {
+      *c = '.';
+    }
+  }
+
+  nss_ZFreeIf(raw);
+
+  b = PR_smprintf("%s }", a);
+  if( (char *)NULL == b ) {
+    PR_smprintf_free(a);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  len = PL_strlen(b);
+  
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(b);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, b, len);
+  PR_smprintf_free(b);
+
+  return rv;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
diff --git a/security/nss/lib/pki1/oidgen.perl b/security/nss/lib/pki1/oidgen.perl
new file mode 100755
index 000000000..959e3cbaf
--- /dev/null
+++ b/security/nss/lib/pki1/oidgen.perl
@@ -0,0 +1,311 @@
+#!perl
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
+
+$count = -1;
+while(<>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+  # This is certainly not the best way to dequote the data.
+  $value =~ s/"//g;
+
+  if( $name =~ "OID" ) {
+    $count++;
+    $x[$count]{$name} = $value;
+    $enc = encodeoid($value);
+    $x[$count]{" encoding"} = escapeoid($enc);
+    $x[$count]{" encoding length"} = length($enc);
+  } else {
+    if( $count < 0 ) {
+      $g{$name} = $value;
+    } else {
+      $x[$count]{$name} = $value;
+    }
+  }
+}
+
+# dodump();
+doprint();
+
+sub dodump {
+for( $i = 0; $i <= $count; $i++ ) {
+  print "number $i:\n";
+  %y = %{$x[$i]};
+  while(($n,$v) = each(%y)) {
+    print "\t$n ==> $v\n";
+  }
+}
+}
+
+sub doprint {
+open(CFILE, ">oiddata.c") || die "Can't open oiddata.c: $!"; 
+open(HFILE, ">oiddata.h") || die "Can't open oiddata.h: $!";
+
+print CFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+const NSSOID nss_builtin_oids[] = {
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  print CFILE "  {\n";
+  print CFILE "#ifdef DEBUG\n";
+  print CFILE "    \"$y{TAG}\",\n";
+  print CFILE "    \"$y{EXPL}\",\n";
+  print CFILE "#endif /* DEBUG */\n";
+  print CFILE "    { \"", $y{" encoding"};
+  print CFILE "\", ", $y{" encoding length"}, " }\n";
+
+  if( $i == $count ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_builtin_oid_count = ", ($count+1), ";\n\n";
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print CFILE "const NSSOID *$y{NAME} = (NSSOID *)&nss_builtin_oids[$i];\n";
+  }
+}
+
+print CFILE "\n";
+
+$attrcount = -1;
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{ATTR}) ) {
+    if( defined($y{NAME}) ) {
+      $attrcount++;
+      $attr[$attrcount]{ATTR} = $y{ATTR};
+      $attr[$attrcount]{NAME} = $y{NAME};
+    } else {
+      warn "Attribute $y{ATTR} has no name, and will be omitted!";
+    }
+  }
+}
+
+print CFILE "const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {\n";
+
+for( $i = 0; $i <= $attrcount; $i++ ) {
+  %y = %{$attr[$i]};
+  print CFILE "  {\n";
+  print CFILE "    \"$y{ATTR}\",\n";
+  print CFILE "    &$y{NAME}\n";
+
+  if( $i == $attrcount ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_attribute_type_alias_count = ", ($attrcount+1), ";\n\n";
+
+print HFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef OIDDATA_H
+#define OIDDATA_H
+
+#ifdef DEBUG
+static const char OIDDATA_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+extern const NSSOID nss_builtin_oids[];
+extern const PRUint32 nss_builtin_oid_count;
+
+/*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
+/*extern const PRUint32 nss_attribute_type_alias_count;*/
+
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print HFILE "extern const NSSOID *$y{NAME};\n";
+  }
+}
+
+print HFILE <<EOD
+
+#endif /* OIDDATA_H */
+EOD
+    ;
+
+close CFILE;
+close HFILE;
+}
+
+sub encodenum {
+    my $v = $_[0];
+    my @d;
+    my $i;
+    my $rv = "";
+
+    while( $v > 128 ) {
+        push @d, ($v % 128);
+        $v /= 128;
+    };
+    push @d, ($v%128);
+
+    for( $i = @d-1; $i > 0; $i-- ) {
+        $rv = $rv . chr(128 + $d[$i]);
+    }
+
+    $rv = $rv . chr($d[0]);
+
+    return $rv;
+}
+
+sub encodeoid {
+    my @o = split(/\./, $_[0]);
+    my $rv = "";
+    my $i;
+
+    if( @o < 2 ) {
+        # NSS's special "illegal" encoding
+        return chr(128) . encodenum($o[0]);
+    }
+
+    $rv = encodenum($o[0] * 40 + $o[1]);
+    shift @o; shift @o;
+
+    foreach $i (@o) {
+        $rv = $rv . encodenum($i);
+    }
+
+    return $rv;
+}
+
+sub escapeoid {
+  my @v = unpack("C*", $_[0]);
+  my $a;
+  my $rv = "";
+
+  foreach $a (@v) {
+    $rv = $rv . sprintf("\\x%02x", $a);
+  }
+
+  return $rv;
+}
diff --git a/security/nss/lib/pki1/oids.txt b/security/nss/lib/pki1/oids.txt
new file mode 100644
index 000000000..df7b3ab28
--- /dev/null
+++ b/security/nss/lib/pki1/oids.txt
@@ -0,0 +1,2115 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+# Fields
+#  OID  -- the OID data itself, in dotted-number format
+#  TAG  -- the unofficial but common name.  e.g., when written like
+#          { joint-iso-ccitt(2) country(16) US(840) company(1) netscape(113730) }
+#          those words ("joint-iso-ccitt," "country," etc.) are the tags.
+#  EXPL -- a textual explanation, that should stand by itself
+#  NAME -- the name we use in our code.  If no NAME is given, it won't be included
+#
+# Additionally, some sets of OIDs map to some other spaces.. 
+# additional fields capture that data:
+#
+#  CKM  -- the corresponding Cryptoki Mechanism, if any
+#  CKK  -- the corresponding Cryptoki Key type, if any
+#  ATTR -- the UTF-8 attribute type encoding, if applicable
+#          it should be in the standard presentation style (e.g., lowercase),
+#          already-escaped a la RFC 2253 if necessary (which would only
+#          be necessary if some idiot defined an attribute with, say,
+#          an equals sign in it)
+#  CERT_EXTENSION -- SUPPORTED or UNSUPPORTED certificate extension, if applicable
+
+# Top of the OID tree -- see http://www.alvestrand.no/objectid/top.html
+# 
+OID 0
+TAG ccitt               # ITU-T used to be called CCITT
+EXPL "ITU-T"
+
+# See X.208 Annex C for an explanation of the OIDs below ccitt/itu-t
+
+OID 0.0
+TAG recommendation
+EXPL "ITU-T Recommendation"
+
+OID 0.1
+TAG question
+EXPL "ITU-T Question"
+
+OID 0.2
+TAG administration
+EXPL "ITU-T Administration"
+
+OID 0.3
+TAG network-operator
+EXPL "ITU-T Network Operator"
+
+OID 0.4
+TAG identified-organization
+EXPL "ITU-T Identified Organization"
+
+OID 0.9           # used in some RFCs (unofficial!)
+TAG data
+EXPL "RFC Data"
+
+OID 0.9.2342
+TAG pss
+EXPL "PSS British Telecom X.25 Network"
+
+OID 0.9.2342.19200300
+TAG ucl
+EXPL "RFC 1274 UCL Data networks"
+
+OID 0.9.2342.19200300.100
+TAG pilot
+EXPL "RFC 1274 pilot"
+
+OID 0.9.2342.19200300.100.1
+TAG attributeType
+EXPL "RFC 1274 Attribute Type"
+
+OID 0.9.2342.19200300.100.1.1
+TAG uid
+EXPL "RFC 1274 User Id"
+NAME NSS_OID_RFC1274_UID
+ATTR "uid"
+
+OID 0.9.2342.19200300.100.1.3
+TAG mail
+EXPL "RFC 1274 E-mail Addres"
+NAME NSS_OID_RFC1274_EMAIL
+ATTR "mail" # XXX fgmr
+
+OID 0.9.2342.19200300.100.1.25
+TAG dc
+EXPL "RFC 2247 Domain Component"
+NAME NSS_OID_RFC2247_DC
+ATTR "dc"
+
+OID 0.9.2342.19200300.100.3
+TAG attributeSyntax
+EXPL "RFC 1274 Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.4
+TAG iA5StringSyntax
+EXPL "RFC 1274 IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.5
+TAG caseIgnoreIA5StringSyntax
+EXPL "RFC 1274 Case-Ignore IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.4
+TAG objectClass
+EXPL "RFC 1274 Object Class"
+
+OID 0.9.2342.19200300.100.10
+TAG groups
+EXPL "RFC 1274 Groups"
+
+OID 0.9.2342.234219200300 
+TAG ucl
+EXPL "RFC 1327 ucl"
+
+OID 1
+TAG iso
+EXPL "ISO"
+
+# See X.208 Annex B for an explanation of the OIDs below iso
+
+OID 1.0
+TAG standard
+EXPL "ISO Standard"
+
+OID 1.1
+TAG registration-authority
+EXPL "ISO Registration Authority"
+
+OID 1.2
+TAG member-body
+EXPL "ISO Member Body"
+
+OID 1.2.36
+TAG australia
+EXPL "Australia (ISO)"
+
+OID 1.2.158
+TAG taiwan
+EXPL "Taiwan (ISO)"
+
+OID 1.2.372 
+TAG ireland
+EXPL "Ireland (ISO)"
+
+OID 1.2.578 
+TAG norway
+EXPL "Norway (ISO)"
+
+OID 1.2.752 
+TAG sweden
+EXPL "Sweden (ISO)"
+
+OID 1.2.826 
+TAG great-britain
+EXPL "Great Britain (ISO)"
+
+OID 1.2.840
+TAG us
+EXPL "United States (ISO)"
+
+OID 1.2.840.1 
+TAG organization
+EXPL "US (ISO) organization"
+
+OID 1.2.840.10003
+TAG ansi-z30-50
+EXPL "ANSI Z39.50"
+
+OID 1.2.840.10008
+TAG dicom
+EXPL "DICOM"
+
+OID 1.2.840.10017
+TAG ieee-1224
+EXPL "IEEE 1224"
+
+OID 1.2.840.10022
+TAG ieee-802-10
+EXPL "IEEE 802.10"
+
+OID 1.2.840.10036
+TAG ieee-802-11
+EXPL "IEEE 802.11"
+
+OID 1.2.840.10040
+TAG x9-57
+EXPL "ANSI X9.57"
+
+# RFC 2459:
+#
+# holdInstruction OBJECT IDENTIFIER ::=
+#           {iso(1) member-body(2) us(840) x9cm(10040) 2}
+#
+# Note that the appendices of RFC 2459 define the (wrong) value
+# of 2.2.840.10040.2 for this oid.
+OID 1.2.840.10040.2
+TAG holdInstruction
+EXPL "ANSI X9.57 Hold Instruction"
+
+# RFC 2459:
+#
+# id-holdinstruction-none OBJECT IDENTIFIER  ::=
+#                 {holdInstruction 1} -- deprecated
+OID 1.2.840.10040.2.1
+TAG id-holdinstruction-none
+EXPL "ANSI X9.57 Hold Instruction: None"
+
+# RFC 2459:
+#
+# id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+#                 {holdInstruction 2}
+OID 1.2.840.10040.2.2
+TAG id-holdinstruction-callissuer
+EXPL "ANSI X9.57 Hold Instruction: Call Issuer"
+
+# RFC 2459:
+#
+# id-holdinstruction-reject OBJECT IDENTIFIER ::=
+#                 {holdInstruction 3}
+OID 1.2.840.10040.2.3
+TAG id-holdinstruction-reject
+EXPL "ANSI X9.57 Hold Instruction: Reject"
+
+OID 1.2.840.10040.4
+TAG x9algorithm
+EXPL "ANSI X9.57 Algorithm"
+
+# RFC 2459:
+#
+# id-dsa OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+OID 1.2.840.10040.4.1
+TAG id-dsa
+EXPL "ANSI X9.57 DSA Signature"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE
+CKM CKM_DSA
+CKK CKK_DSA
+
+# RFC 2459:
+#
+# id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
+#      iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+OID 1.2.840.10040.4.3
+TAG id-dsa-with-sha1
+EXPL "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.2.840.10046
+TAG x942
+EXPL "ANSI X9.42"
+
+OID 1.2.840.10046.2
+TAG algorithm
+EXPL "ANSI X9.42 Algorithm"
+
+# RFC 2459:
+#
+# dhpublicnumber OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
+OID 1.2.840.10046.2.1
+TAG dhpublicnumber
+EXPL "Diffie-Hellman Public Key Algorithm"
+NAME NSS_OID_X942_DIFFIE_HELMAN_KEY
+CKM CKM_DH_PKCS_DERIVE
+CKK CKK_DH
+
+OID 1.2.840.113533
+TAG entrust
+EXPL "Entrust Technologies"
+
+OID 1.2.840.113549 
+TAG rsadsi
+EXPL "RSA Data Security Inc."
+
+OID 1.2.840.113549.1 
+# http://www.rsa.com/rsalabs/pubs/PKCS/
+TAG pkcs
+EXPL "PKCS"
+
+# RFC 2459:
+#
+# pkcs-1 OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
+OID 1.2.840.113549.1.1
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
+TAG pkcs-1
+EXPL "PKCS #1"
+
+# RFC 2459:
+#
+# rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }
+OID 1.2.840.113549.1.1.1
+TAG rsaEncryption
+EXPL "PKCS #1 RSA Encryption"
+NAME NSS_OID_PKCS1_RSA_ENCRYPTION
+CKM CKM_RSA_PKCS
+CKK CKK_RSA
+
+# RFC 2459:
+#
+# md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }
+OID 1.2.840.113549.1.1.2 
+TAG md2WithRSAEncryption
+EXPL "PKCS #1 MD2 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION
+CKM CKM_MD2_RSA_PKCS
+
+OID 1.2.840.113549.1.1.3 
+TAG md4WithRSAEncryption
+EXPL "PKCS #1 MD4 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION
+# No CKM!
+
+# RFC 2459:
+#
+# md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }
+OID 1.2.840.113549.1.1.4 
+TAG md5WithRSAEncryption
+EXPL "PKCS #1 MD5 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
+CKM CKM_MD5_RSA_PKCS
+
+# RFC 2459:
+#
+# sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }
+OID 1.2.840.113549.1.1.5 
+TAG sha1WithRSAEncryption
+EXPL "PKCS #1 SHA-1 With RSA Encryption"    
+NAME NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION
+CKM CKM_SHA1_RSA_PKCS
+
+OID 1.2.840.113549.1.5 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
+TAG pkcs-5
+EXPL "PKCS #5"
+
+OID 1.2.840.113549.1.5.1 
+TAG pbeWithMD2AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD2 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC
+CKM CKM_PBE_MD2_DES_CBC
+
+OID 1.2.840.113549.1.5.3 
+TAG pbeWithMD5AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD5 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC
+CKM CKM_PBE_MD5_DES_CBC
+
+OID 1.2.840.113549.1.5.10 
+TAG pbeWithSha1AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC"   
+NAME NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_DES_CBC
+
+OID 1.2.840.113549.1.7 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc
+TAG pkcs-7
+EXPL "PKCS #7"
+NAME NSS_OID_PKCS7
+
+OID 1.2.840.113549.1.7.1
+TAG data
+EXPL "PKCS #7 Data"
+NAME NSS_OID_PKCS7_DATA
+
+OID 1.2.840.113549.1.7.2 
+TAG signedData
+EXPL "PKCS #7 Signed Data"
+NAME NSS_OID_PKCS7_SIGNED_DATA
+
+OID 1.2.840.113549.1.7.3 
+TAG envelopedData
+EXPL "PKCS #7 Enveloped Data"
+NAME NSS_OID_PKCS7_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.4 
+TAG signedAndEnvelopedData
+EXPL "PKCS #7 Signed and Enveloped Data"
+NAME NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.5 
+TAG digestedData
+EXPL "PKCS #7 Digested Data"
+NAME NSS_OID_PKCS7_DIGESTED_DATA
+
+OID 1.2.840.113549.1.7.6 
+TAG encryptedData
+EXPL "PKCS #7 Encrypted Data"
+NAME NSS_OID_PKCS7_ENCRYPTED_DATA
+
+# RFC 2459:
+#
+# pkcs-9 OBJECT IDENTIFIER ::=
+#        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+OID 1.2.840.113549.1.9 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-9.asc
+TAG pkcs-9
+EXPL "PKCS #9"
+
+# RFC 2459:
+#
+# emailAddress AttributeType      ::= { pkcs-9 1 }
+OID 1.2.840.113549.1.9.1
+TAG emailAddress
+EXPL "PKCS #9 Email Address"
+NAME NSS_OID_PKCS9_EMAIL_ADDRESS
+
+OID 1.2.840.113549.1.9.2 
+TAG unstructuredName
+EXPL "PKCS #9 Unstructured Name"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_NAME
+
+OID 1.2.840.113549.1.9.3 
+TAG contentType
+EXPL "PKCS #9 Content Type"
+NAME NSS_OID_PKCS9_CONTENT_TYPE
+
+OID 1.2.840.113549.1.9.4 
+TAG messageDigest
+EXPL "PKCS #9 Message Digest"
+NAME NSS_OID_PKCS9_MESSAGE_DIGEST
+
+OID 1.2.840.113549.1.9.5 
+TAG signingTime
+EXPL "PKCS #9 Signing Time"
+NAME NSS_OID_PKCS9_SIGNING_TIME
+
+OID 1.2.840.113549.1.9.6 
+TAG counterSignature
+EXPL "PKCS #9 Counter Signature"
+NAME NSS_OID_PKCS9_COUNTER_SIGNATURE
+
+OID 1.2.840.113549.1.9.7 
+TAG challengePassword
+EXPL "PKCS #9 Challenge Password"
+NAME NSS_OID_PKCS9_CHALLENGE_PASSWORD
+
+OID 1.2.840.113549.1.9.8 
+TAG unstructuredAddress
+EXPL "PKCS #9 Unstructured Address"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS
+
+OID 1.2.840.113549.1.9.9 
+TAG extendedCertificateAttributes
+EXPL "PKCS #9 Extended Certificate Attributes"
+NAME NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES
+
+OID 1.2.840.113549.1.9.15 
+TAG sMIMECapabilities
+EXPL "PKCS #9 S/MIME Capabilities"
+NAME NSS_OID_PKCS9_SMIME_CAPABILITIES
+
+OID 1.2.840.113549.1.9.20
+TAG friendlyName
+EXPL "PKCS #9 Friendly Name"
+NAME NSS_OID_PKCS9_FRIENDLY_NAME
+
+OID 1.2.840.113549.1.9.21
+TAG localKeyID
+EXPL "PKCS #9 Local Key ID"
+NAME NSS_OID_PKCS9_LOCAL_KEY_ID
+
+OID 1.2.840.113549.1.9.22 
+TAG certTypes
+EXPL "PKCS #9 Certificate Types"
+
+OID 1.2.840.113549.1.9.22.1
+TAG x509Certificate
+EXPL "PKCS #9 Certificate Type = X.509"
+NAME NSS_OID_PKCS9_X509_CERT
+
+OID 1.2.840.113549.1.9.22.2
+TAG sdsiCertificate
+EXPL "PKCS #9 Certificate Type = SDSI"
+NAME NSS_OID_PKCS9_SDSI_CERT
+
+OID 1.2.840.113549.1.9.23 
+TAG crlTypes
+EXPL "PKCS #9 Certificate Revocation List Types"
+
+OID 1.2.840.113549.1.9.23.1
+TAG x509Crl
+EXPL "PKCS #9 CRL Type = X.509"
+NAME NSS_OID_PKCS9_X509_CRL
+
+OID 1.2.840.113549.1.12
+# http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-12.html
+# NOTE -- PKCS #12                          multiple contradictory
+#         documents exist.  Somebody go figure out the canonical
+#         OID list, keeping in mind backwards-compatability..
+TAG pkcs-12
+EXPL "PKCS #12"
+NAME NSS_OID_PKCS12
+
+OID 1.2.840.113549.1.12.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 Password Based Encryption IDs"
+NAME NSS_OID_PKCS12_PBE_IDS
+# We called it SEC_OID_PKCS12_MODE_IDS
+
+OID 1.2.840.113549.1.12.1.1
+TAG pbeWithSHA1And128BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.2
+TAG pbeWithSHA1And40BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.3
+TAG pbeWithSHA1And3-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.4
+TAG pbeWithSHA1And2-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC
+CKM CKM_PBE_SHA1_DES2_EDE_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.5
+TAG pbeWithSHA1And128BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.1.6
+TAG pbeWithSHA1And40BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.2 
+TAG pkcs-12EspvkIds
+EXPL "PKCS #12 ESPVK IDs"
+# We called it SEC_OID_PKCS12_ESPVK_IDS
+
+OID 1.2.840.113549.1.12.2.1
+TAG pkcs8-key-shrouding
+EXPL "PKCS #12 Key Shrouding"
+# We called it SEC_OID_PKCS12_PKCS8_KEY_SHROUDING
+
+OID 1.2.840.113549.1.12.3 
+TAG draft1Pkcs-12Bag-ids
+EXPL "Draft 1.0 PKCS #12 Bag IDs"
+# We called it SEC_OID_PKCS12_BAG_IDS
+
+OID 1.2.840.113549.1.12.3.1
+TAG keyBag
+EXPL "Draft 1.0 PKCS #12 Key Bag"
+# We called it SEC_OID_PKCS12_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.3.2
+TAG certAndCRLBagId
+EXPL "Draft 1.0 PKCS #12 Cert and CRL Bag ID"
+# We called it SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.3.3
+TAG secretBagId
+EXPL "Draft 1.0 PKCS #12 Secret Bag ID"
+# We called it SEC_OID_PKCS12_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.3.4
+TAG safeContentsId
+EXPL "Draft 1.0 PKCS #12 Safe Contents Bag ID"
+# We called it SEC_OID_PKCS12_SAFE_CONTENTS_ID
+
+OID 1.2.840.113549.1.12.3.5
+TAG pkcs-8ShroudedKeyBagId
+EXPL "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID"
+# We called it SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.4 
+TAG pkcs-12CertBagIds
+EXPL "PKCS #12 Certificate Bag IDs"
+# We called it SEC_OID_PKCS12_CERT_BAG_IDS
+
+OID 1.2.840.113549.1.12.4.1
+TAG x509CertCRLBagId
+EXPL "PKCS #12 X.509 Certificate and CRL Bag"
+# We called it SEC_OID_PKCS12_X509_CERT_CRL_BAG
+
+OID 1.2.840.113549.1.12.4.2
+TAG SDSICertBagID
+EXPL "PKCS #12 SDSI Certificate Bag"
+# We called it SEC_OID_PKCS12_SDSI_CERT_BAG
+
+OID 1.2.840.113549.1.12.5 
+TAG pkcs-12Oids
+EXPL "PKCS #12 OIDs (XXX)"
+# We called it SEC_OID_PKCS12_OIDS
+
+OID 1.2.840.113549.1.12.5.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 OIDs PBE IDs (XXX)"
+# We called it SEC_OID_PKCS12_PBE_IDS
+
+OID 1.2.840.113549.1.12.5.1.1
+TAG pbeWithSha1And128BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.2
+TAG pbeWithSha1And40BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.3
+TAG pbeWithSha1AndTripleDES-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.5.1.4
+TAG pbeWithSha1And128BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.1.5
+TAG pbeWithSha1And40BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.2 
+TAG pkcs-12EnvelopingIds
+EXPL "PKCS #12 OIDs Enveloping IDs (XXX)"
+# We called it SEC_OID_PKCS12_ENVELOPING_IDS
+
+OID 1.2.840.113549.1.12.5.2.1
+TAG rsaEncryptionWith128BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.2
+TAG rsaEncryptionWith40BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.3
+TAG rsaEncryptionWithTripleDES
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES
+
+OID 1.2.840.113549.1.12.5.3 
+TAG pkcs-12SignatureIds
+EXPL "PKCS #12 OIDs Signature IDs (XXX)"
+# We called it SEC_OID_PKCS12_SIGNATURE_IDS
+
+OID 1.2.840.113549.1.12.5.3.1
+TAG rsaSignatureWithSHA1Digest
+EXPL "PKCS #12 OIDs RSA Signature with SHA-1 Digest"
+# We called it SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST
+
+OID 1.2.840.113549.1.12.10 
+TAG pkcs-12Version1
+EXPL "PKCS #12 Version 1"
+
+OID 1.2.840.113549.1.12.10.1
+TAG pkcs-12BagIds
+EXPL "PKCS #12 Bag IDs"
+
+OID 1.2.840.113549.1.12.10.1.1
+TAG keyBag
+EXPL "PKCS #12 Key Bag"
+NAME NSS_OID_PKCS12_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.2
+TAG pkcs-8ShroudedKeyBag
+EXPL "PKCS #12 PKCS #8-shrouded Key Bag"
+NAME NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.3
+TAG certBag
+EXPL "PKCS #12 Certificate Bag"
+NAME NSS_OID_PKCS12_CERT_BAG
+# We called it SEC_OID_PKCS12_V1_CERT_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.4
+TAG crlBag
+EXPL "PKCS #12 CRL Bag"
+NAME NSS_OID_PKCS12_CRL_BAG
+# We called it SEC_OID_PKCS12_V1_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.5
+TAG secretBag
+EXPL "PKCS #12 Secret Bag"
+NAME NSS_OID_PKCS12_SECRET_BAG
+# We called it SEC_OID_PKCS12_V1_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.6
+TAG safeContentsBag
+EXPL "PKCS #12 Safe Contents Bag"
+NAME NSS_OID_PKCS12_SAFE_CONTENTS_BAG
+# We called it SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID
+
+OID 1.2.840.113549.2
+TAG digest
+EXPL "RSA digest algorithm"
+
+OID 1.2.840.113549.2.2 
+TAG md2
+EXPL "MD2"
+NAME NSS_OID_MD2
+CKM CKM_MD2
+
+OID 1.2.840.113549.2.4 
+TAG md4
+EXPL "MD4"
+NAME NSS_OID_MD4
+# No CKM
+
+OID 1.2.840.113549.2.5
+TAG md5
+EXPL "MD5"
+NAME NSS_OID_MD5
+CKM CKM_MD5
+
+OID 1.2.840.113549.3 
+TAG cipher
+EXPL "RSA cipher algorithm"
+
+OID 1.2.840.113549.3.2 
+TAG rc2cbc
+EXPL "RC2-CBC"
+NAME NSS_OID_RC2_CBC
+CKM_RC2_CBC
+
+OID 1.2.840.113549.3.4 
+TAG rc4
+EXPL "RC4"
+NAME NSS_OID_RC4
+CKM CKM_RC4
+
+OID 1.2.840.113549.3.7 
+TAG desede3cbc
+EXPL "DES-EDE3-CBC"
+NAME NSS_OID_DES_EDE3_CBC
+CKM CKM_DES3_CBC
+
+OID 1.2.840.113549.3.9 
+TAG rc5cbcpad
+EXPL "RC5-CBCPad"
+NAME NSS_OID_RC5_CBC_PAD
+CKM CKM_RC5_CBC
+
+OID 1.2.840.113556
+TAG microsoft
+EXPL "Microsoft"
+
+OID 1.2.840.113560
+TAG columbia-university
+EXPL "Columbia University"
+
+OID 1.2.840.113572
+TAG unisys
+EXPL "Unisys"
+
+OID 1.2.840.113658
+TAG xapia
+EXPL "XAPIA"
+
+OID 1.2.840.113699
+TAG wordperfect
+EXPL "WordPerfect"
+
+OID 1.3
+TAG identified-organization
+EXPL "ISO identified organizations"
+
+OID 1.3.6
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 1.3.6.1 
+TAG internet  # See RFC 1065
+EXPL "The Internet"
+
+OID 1.3.6.1.1
+TAG directory
+EXPL "Internet: Directory"
+
+OID 1.3.6.1.2
+TAG management
+EXPL "Internet: Management"
+
+OID 1.3.6.1.3
+TAG experimental
+EXPL "Internet: Experimental"
+
+OID 1.3.6.1.4
+TAG private
+EXPL "Internet: Private"
+
+OID 1.3.6.1.5
+TAG security
+EXPL "Internet: Security"
+
+OID 1.3.6.1.5.5
+
+# RFC 2459:
+#
+# id-pkix  OBJECT IDENTIFIER  ::=
+#          { iso(1) identified-organization(3) dod(6) internet(1)
+#                     security(5) mechanisms(5) pkix(7) }
+OID 1.3.6.1.5.5.7 
+TAG id-pkix
+EXPL "Public Key Infrastructure"
+
+# RFC 2459:
+#
+# PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
+OID 1.3.6.1.5.5.7.0.1
+TAG PKIX1Explicit88
+EXPL "RFC 2459 Explicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
+OID 1.3.6.1.5.5.7.0.2
+TAG PKIXImplicit88
+EXPL "RFC 2459 Implicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
+#    security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
+OID 1.3.6.1.5.5.7.0.3
+TAG PKIXExplicit93
+EXPL "RFC 2459 Explicitly Tagged Module, 1993 Syntax"
+
+# RFC 2459:
+#
+# id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
+#         -- arc for private certificate extensions
+OID 1.3.6.1.5.5.7.1 
+TAG id-pe
+EXPL "PKIX Private Certificate Extensions"
+
+# RFC 2459:
+#
+# id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+OID 1.3.6.1.5.5.7.1.1
+TAG id-pe-authorityInfoAccess
+EXPL "Certificate Authority Information Access"
+NAME NSS_OID_X509_AUTH_INFO_ACCESS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+#         -- arc for policy qualifier types
+OID 1.3.6.1.5.5.7.2 
+TAG id-qt
+EXPL "PKIX Policy Qualifier Types"
+
+# RFC 2459:
+#
+# id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
+#         -- OID for CPS qualifier
+OID 1.3.6.1.5.5.7.2.1
+TAG id-qt-cps
+EXPL "PKIX CPS Pointer Qualifier"
+NAME NSS_OID_PKIX_CPS_POINTER_QUALIFIER
+
+# RFC 2459:
+#
+# id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
+#         -- OID for user notice qualifier
+OID 1.3.6.1.5.5.7.2.2
+TAG id-qt-unotice
+EXPL "PKIX User Notice Qualifier"
+NAME NSS_OID_PKIX_USER_NOTICE_QUALIFIER
+
+# RFC 2459:
+#
+# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+#         -- arc for extended key purpose OIDS
+OID 1.3.6.1.5.5.7.3 
+TAG id-kp
+EXPL "PKIX Key Purpose"
+
+# RFC 2459:
+#
+# id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
+OID 1.3.6.1.5.5.7.3.1
+TAG id-kp-serverAuth
+EXPL "TLS Web Server Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_SERVER_AUTH
+
+# RFC 2459:
+#
+# id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
+OID 1.3.6.1.5.5.7.3.2
+TAG id-kp-clientAuth
+EXPL "TLS Web Client Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH
+
+# RFC 2459:
+#
+# id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
+OID 1.3.6.1.5.5.7.3.3
+TAG id-kp-codeSigning
+EXPL "Code Signing Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CODE_SIGN
+
+# RFC 2459:
+#
+# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+OID 1.3.6.1.5.5.7.3.4
+TAG id-kp-emailProtection
+EXPL "E-Mail Protection Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION
+
+# RFC 2459:
+#
+# id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
+OID 1.3.6.1.5.5.7.3.5
+TAG id-kp-ipsecEndSystem
+EXPL "IPSEC End System Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM
+
+# RFC 2459:
+#
+# id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
+OID 1.3.6.1.5.5.7.3.6
+TAG id-kp-ipsecTunnel
+EXPL "IPSEC Tunnel Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL
+
+# RFC 2459:
+#
+# id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
+OID 1.3.6.1.5.5.7.3.7
+TAG id-kp-ipsecUser
+EXPL "IPSEC User Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_USER
+
+# RFC 2459:
+#
+# id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
+OID 1.3.6.1.5.5.7.3.8
+TAG id-kp-timeStamping
+EXPL "Time Stamping Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_TIME_STAMP
+
+OID 1.3.6.1.5.5.7.3.9
+TAG ocsp-responder
+EXPL "OCSP Responder Certificate"
+NAME NSS_OID_OCSP_RESPONDER
+
+OID 1.3.6.1.5.5.7.7 
+TAG pkix-id-pkix
+
+OID 1.3.6.1.5.5.7.7.5 
+TAG pkix-id-pkip
+
+OID 1.3.6.1.5.5.7.7.5.1 
+TAG pkix-id-regctrl
+EXPL "CRMF Registration Control"
+
+OID 1.3.6.1.5.5.7.7.5.1.1
+TAG regtoken
+EXPL "CRMF Registration Control, Registration Token"
+NAME NSS_OID_PKIX_REGCTRL_REGTOKEN
+
+OID 1.3.6.1.5.5.7.7.5.1.2
+TAG authenticator
+EXPL "CRMF Registration Control, Registration Authenticator"
+NAME NSS_OID_PKIX_REGCTRL_AUTHENTICATOR
+
+OID 1.3.6.1.5.5.7.7.5.1.3
+TAG pkipubinfo
+EXPL "CRMF Registration Control, PKI Publication Info"
+NAME NSS_OID_PKIX_REGCTRL_PKIPUBINFO
+
+OID 1.3.6.1.5.5.7.7.5.1.4
+TAG pki-arch-options
+EXPL "CRMF Registration Control, PKI Archive Options"
+NAME NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS
+
+OID 1.3.6.1.5.5.7.7.5.1.5
+TAG old-cert-id
+EXPL "CRMF Registration Control, Old Certificate ID"
+NAME NSS_OID_PKIX_REGCTRL_OLD_CERT_ID
+
+OID 1.3.6.1.5.5.7.7.5.1.6
+TAG protocol-encryption-key
+EXPL "CRMF Registration Control, Protocol Encryption Key"
+NAME NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY
+
+OID 1.3.6.1.5.5.7.7.5.2 
+TAG pkix-id-reginfo
+EXPL "CRMF Registration Info"
+
+OID 1.3.6.1.5.5.7.7.5.2.1
+TAG utf8-pairs
+EXPL "CRMF Registration Info, UTF8 Pairs"
+NAME NSS_OID_PKIX_REGINFO_UTF8_PAIRS
+
+OID 1.3.6.1.5.5.7.7.5.2.2
+TAG cert-request
+EXPL "CRMF Registration Info, Certificate Request"
+NAME NSS_OID_PKIX_REGINFO_CERT_REQUEST
+
+# RFC 2549:
+#
+# id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+#         -- arc for access descriptors
+OID 1.3.6.1.5.5.7.48 
+TAG id-ad
+EXPL "PKIX Access Descriptors"
+
+# RFC 2549:
+#
+# id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
+OID 1.3.6.1.5.5.7.48.1
+TAG id-ad-ocsp
+EXPL "PKIX Online Certificate Status Protocol"
+NAME NSS_OID_OID_PKIX_OCSP
+
+OID 1.3.6.1.5.5.7.48.1.1
+TAG basic-response
+EXPL "OCSP Basic Response"
+NAME NSS_OID_PKIX_OCSP_BASIC_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.2
+TAG nonce-extension
+EXPL "OCSP Nonce Extension"
+NAME NSS_OID_PKIX_OCSP_NONCE
+
+OID 1.3.6.1.5.5.7.48.1.3
+TAG response
+EXPL "OCSP Response Types Extension"
+NAME NSS_OID_PKIX_OCSP_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.4
+TAG crl
+EXPL "OCSP CRL Reference Extension"
+NAME NSS_OID_PKIX_OCSP_CRL
+
+OID 1.3.6.1.5.5.7.48.1.5
+TAG no-check
+EXPL "OCSP No Check Extension"
+NAME NSS_OID_X509_OCSP_NO_CHECK  # X509_... ?
+
+OID 1.3.6.1.5.5.7.48.1.6
+TAG archive-cutoff
+EXPL "OCSP Archive Cutoff Extension"
+NAME NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF
+
+OID 1.3.6.1.5.5.7.48.1.7
+TAG service-locator
+EXPL "OCSP Service Locator Extension"
+NAME NSS_OID_PKIX_OCSP_SERVICE_LOCATOR
+
+# RFC 2549:
+#
+# id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+OID 1.3.6.1.5.5.7.48.2
+TAG id-ad-caIssuers
+EXPL "Certificate Authority Issuers"
+
+OID 1.3.6.1.6
+TAG snmpv2
+EXPL "Internet: SNMPv2"
+
+OID 1.3.6.1.7
+TAG mail
+EXPL "Internet: mail"
+
+OID 1.3.6.1.7.1
+TAG mime-mhs
+EXPL "Internet: mail MIME mhs"
+
+OID 1.3.12 
+TAG ecma
+EXPL "European Computers Manufacturing Association"
+
+OID 1.3.14
+TAG oiw
+EXPL "Open Systems Implementors Workshop"
+
+OID 1.3.14.3 secsig
+TAG secsig
+EXPL "Open Systems Implementors Workshop Security Special Interest Group"
+
+OID 1.3.14.3.1
+TAG oIWSECSIGAlgorithmObjectIdentifiers
+EXPL "OIW SECSIG Algorithm OIDs"
+
+OID 1.3.14.3.2 
+TAG algorithm
+EXPL "OIW SECSIG Algorithm"
+
+OID 1.3.14.3.2.6 
+TAG desecb
+EXPL "DES-ECB"
+NAME NSS_OID_DES_ECB
+CKM CKM_DES_ECB
+
+OID 1.3.14.3.2.7
+TAG descbc
+EXPL "DES-CBC"
+NAME NSS_OID_DES_CBC
+CKM CKM_DES_CBC
+
+OID 1.3.14.3.2.8
+TAG desofb
+EXPL "DES-OFB"
+NAME NSS_OID_DES_OFB
+# No CKM..
+
+OID 1.3.14.3.2.9 
+TAG descfb
+EXPL "DES-CFB"
+NAME NSS_OID_DES_CFB
+# No CKM..
+
+OID 1.3.14.3.2.10
+TAG desmac
+EXPL "DES-MAC"
+NAME NSS_OID_DES_MAC
+CKM CKM_DES_MAC
+
+OID 1.3.14.3.2.15 
+TAG isoSHAWithRSASignature
+EXPL "ISO SHA with RSA Signature"
+NAME NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE
+# No CKM..
+
+OID 1.3.14.3.2.17 
+TAG desede
+EXPL "DES-EDE"
+NAME NSS_OID_DES_EDE
+# No CKM..
+
+OID 1.3.14.3.2.26 
+TAG sha1
+EXPL "SHA-1"
+NAME NSS_OID_SHA1
+CKM CKM_SHA_1
+
+OID 1.3.14.3.2.27
+TAG bogusDSASignatureWithSHA1Digest
+EXPL "Forgezza DSA Signature with SHA-1 Digest"
+NAME NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.3.14.3.3
+TAG authentication-mechanism
+EXPL "OIW SECSIG Authentication Mechanisms"
+
+OID 1.3.14.3.4
+TAG security-attribute
+EXPL "OIW SECSIG Security Attributes"
+
+OID 1.3.14.3.5
+TAG document-definition
+EXPL "OIW SECSIG Document Definitions used in security"
+
+OID 1.3.14.7
+TAG directory-services-sig
+EXPL "OIW directory services sig"
+
+OID 1.3.16
+TAG ewos
+EXPL "European Workshop on Open Systems"
+
+OID 1.3.22
+TAG osf
+EXPL "Open Software Foundation"
+
+OID 1.3.23
+TAG nordunet
+EXPL "Nordunet"
+
+OID 1.3.26
+TAG nato-id-org
+EXPL "NATO identified organisation"
+
+OID 1.3.36
+TAG teletrust
+EXPL "Teletrust"
+
+OID 1.3.52
+TAG smpte
+EXPL "Society of Motion Picture and Television Engineers"
+
+OID 1.3.69
+TAG sita
+EXPL "Societe Internationale de Telecommunications Aeronautiques"
+
+OID 1.3.90
+TAG iana
+EXPL "Internet Assigned Numbers Authority"
+
+OID 1.3.101 
+TAG thawte
+EXPL "Thawte"
+
+OID 2 
+TAG joint-iso-ccitt
+EXPL "Joint ISO/ITU-T assignment"
+
+OID 2.0
+TAG presentation
+EXPL "Joint ISO/ITU-T Presentation"
+
+OID 2.1
+TAG asn-1
+EXPL "Abstract Syntax Notation One"
+
+OID 2.2
+TAG acse
+EXPL "Association Control"
+
+OID 2.3
+TAG rtse
+EXPL "Reliable Transfer"
+
+OID 2.4
+TAG rose
+EXPL "Remote Operations"
+
+OID 2.5
+TAG x500
+EXPL "Directory"
+
+OID 2.5.1
+TAG modules
+EXPL "X.500 modules"
+
+OID 2.5.2
+TAG service-environment
+EXPL "X.500 service environment"
+
+OID 2.5.3
+TAG application-context
+EXPL "X.500 application context"
+
+# RFC 2459:
+#
+# id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
+OID 2.5.4
+TAG id-at
+EXPL "X.520 attribute types"
+
+# RFC 2459:
+#
+# id-at-commonName        AttributeType   ::=     {id-at 3}
+OID 2.5.4.3
+TAG id-at-commonName
+EXPL "X.520 Common Name"
+NAME NSS_OID_X520_COMMON_NAME
+ATTR "cn"
+
+# RFC 2459:
+#
+# id-at-surname           AttributeType   ::=     {id-at 4}
+OID 2.5.4.4
+TAG id-at-surname
+EXPL "X.520 Surname"
+NAME NSS_OID_X520_SURNAME
+ATTR "sn"
+
+# RFC 2459:
+#
+# id-at-countryName       AttributeType   ::=     {id-at 6}
+OID 2.5.4.6
+TAG id-at-countryName
+EXPL "X.520 Country Name"
+NAME NSS_OID_X520_COUNTRY_NAME
+ATTR "c"
+
+# RFC 2459:
+#
+# id-at-localityName      AttributeType   ::=     {id-at 7}
+OID 2.5.4.7
+TAG id-at-localityName
+EXPL "X.520 Locality Name"
+NAME NSS_OID_X520_LOCALITY_NAME
+ATTR "l"
+
+# RFC 2459:
+#
+# id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
+OID 2.5.4.8
+TAG id-at-stateOrProvinceName
+EXPL "X.520 State or Province Name"
+NAME NSS_OID_X520_STATE_OR_PROVINCE_NAME
+ATTR "s"
+
+# RFC 2459:
+#
+# id-at-organizationName          AttributeType   ::=     {id-at 10}
+OID 2.5.4.10
+TAG id-at-organizationName
+EXPL "X.520 Organization Name"
+NAME NSS_OID_X520_ORGANIZATION_NAME
+ATTR "o"
+
+# RFC 2459:
+#
+# id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
+OID 2.5.4.11
+TAG id-at-organizationalUnitName
+EXPL "X.520 Organizational Unit Name"
+NAME NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
+ATTR "ou"
+
+# RFC 2459:
+#
+# id-at-title     AttributeType   ::=     {id-at 12}
+OID 2.5.4.12
+TAG id-at-title
+EXPL "X.520 Title"
+NAME NSS_OID_X520_TITLE
+ATTR "title"
+
+# RFC 2459:
+#
+# id-at-name              AttributeType   ::=     {id-at 41}
+OID 2.5.4.41
+TAG id-at-name
+EXPL "X.520 Name"
+NAME NSS_OID_X520_NAME
+ATTR "name"
+
+# RFC 2459:
+#
+# id-at-givenName         AttributeType   ::=     {id-at 42}
+OID 2.5.4.42
+TAG id-at-givenName
+EXPL "X.520 Given Name"
+NAME NSS_OID_X520_GIVEN_NAME
+ATTR "givenName"
+
+# RFC 2459:
+#
+# id-at-initials          AttributeType   ::=     {id-at 43}
+OID 2.5.4.43
+TAG id-at-initials
+EXPL "X.520 Initials"
+NAME NSS_OID_X520_INITIALS
+ATTR "initials"
+
+# RFC 2459:
+#
+# id-at-generationQualifier       AttributeType   ::=     {id-at 44}
+OID 2.5.4.44
+TAG id-at-generationQualifier
+EXPL "X.520 Generation Qualifier"
+NAME NSS_OID_X520_GENERATION_QUALIFIER
+ATTR "generationQualifier"
+
+# RFC 2459:
+#
+# id-at-dnQualifier       AttributeType   ::=     {id-at 46}
+OID 2.5.4.46
+TAG id-at-dnQualifier
+EXPL "X.520 DN Qualifier"
+NAME NSS_OID_X520_DN_QUALIFIER
+ATTR "dnQualifier"
+
+OID 2.5.5
+TAG attribute-syntax
+EXPL "X.500 attribute syntaxes"
+
+OID 2.5.6
+TAG object-classes
+EXPL "X.500 standard object classes"
+
+OID 2.5.7
+TAG attribute-set
+EXPL "X.500 attribute sets"
+
+OID 2.5.8
+TAG algorithms
+EXPL "X.500-defined algorithms"
+
+OID 2.5.8.1 
+TAG encryption
+EXPL "X.500-defined encryption algorithms"
+
+OID 2.5.8.1.1 
+TAG rsa
+EXPL "RSA Encryption Algorithm"
+NAME NSS_OID_X500_RSA_ENCRYPTION
+CKM CKM_RSA_X_509
+
+OID 2.5.9
+TAG abstract-syntax
+EXPL "X.500 abstract syntaxes"
+
+OID 2.5.12
+TAG operational-attribute
+EXPL "DSA Operational Attributes"
+
+OID 2.5.13
+TAG matching-rule
+EXPL "Matching Rule"
+
+OID 2.5.14
+TAG knowledge-matching-rule
+EXPL "X.500 knowledge Matching Rules"
+
+OID 2.5.15
+TAG name-form
+EXPL "X.500 name forms"
+
+OID 2.5.16
+TAG group
+EXPL "X.500 groups"
+
+OID 2.5.17
+TAG subentry
+EXPL "X.500 subentry"
+
+OID 2.5.18
+TAG operational-attribute-type
+EXPL "X.500 operational attribute type"
+
+OID 2.5.19
+TAG operational-binding
+EXPL "X.500 operational binding"
+
+OID 2.5.20
+TAG schema-object-class
+EXPL "X.500 schema Object class"
+
+OID 2.5.21
+TAG schema-operational-attribute
+EXPL "X.500 schema operational attributes"
+
+OID 2.5.23
+TAG administrative-role
+EXPL "X.500 administrative roles"
+
+OID 2.5.24
+TAG access-control-attribute
+EXPL "X.500 access control attribute"
+
+OID 2.5.25
+TAG ros
+EXPL "X.500 ros object"
+
+OID 2.5.26
+TAG contract
+EXPL "X.500 contract"
+
+OID 2.5.27
+TAG package
+EXPL "X.500 package"
+
+OID 2.5.28
+TAG access-control-schema
+EXPL "X.500 access control schema"
+
+# RFC 2459:
+#
+# id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}
+OID 2.5.29
+TAG id-ce
+EXPL "X.500 Certificate Extension"
+
+OID 2.5.29.5
+TAG subject-directory-attributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }
+OID 2.5.29.9
+TAG id-ce-subjectDirectoryAttributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
+OID 2.5.29.14
+TAG id-ce-subjectKeyIdentifier
+EXPL "Certificate Subject Key ID"
+NAME NSS_OID_X509_SUBJECT_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+OID 2.5.29.15
+TAG id-ce-keyUsage
+EXPL "Certificate Key Usage"
+NAME NSS_OID_X509_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+# We called it PKCS12_KEY_USAGE
+
+# RFC 2459:
+#
+# id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }
+OID 2.5.29.16
+TAG id-ce-privateKeyUsagePeriod
+EXPL "Certificate Private Key Usage Period"
+NAME NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
+OID 2.5.29.17
+TAG id-ce-subjectAltName
+EXPL "Certificate Subject Alternate Name"
+NAME NSS_OID_X509_SUBJECT_ALT_NAME
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
+OID 2.5.29.18
+TAG id-ce-issuerAltName
+EXPL "Certificate Issuer Alternate Name"
+NAME NSS_OID_X509_ISSUER_ALT_NAME
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+OID 2.5.29.19
+TAG id-ce-basicConstraints
+EXPL "Certificate Basic Constraints"
+NAME NSS_OID_X509_BASIC_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+OID 2.5.29.20
+TAG id-ce-cRLNumber
+EXPL "CRL Number"
+NAME NSS_OID_X509_CRL_NUMBER
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+OID 2.5.29.21
+TAG id-ce-cRLReasons
+EXPL "CRL Reason Code"
+NAME NSS_OID_X509_REASON_CODE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+OID 2.5.29.23
+TAG id-ce-holdInstructionCode
+EXPL "Hold Instruction Code"
+NAME NSS_OID_X509_HOLD_INSTRUCTION_CODE
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+OID 2.5.29.24
+TAG id-ce-invalidityDate
+EXPL "Invalid Date"
+NAME NSS_OID_X509_INVALID_DATE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+OID 2.5.29.27
+TAG id-ce-deltaCRLIndicator
+EXPL "Delta CRL Indicator"
+NAME NSS_OID_X509_DELTA_CRL_INDICATOR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+OID 2.5.29.28
+TAG id-ce-issuingDistributionPoint
+EXPL "Issuing Distribution Point"
+NAME NSS_OID_X509_ISSUING_DISTRIBUTION_POINT
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+OID 2.5.29.29
+TAG id-ce-certificateIssuer
+EXPL "Certificate Issuer"
+NAME NSS_OID_X509_CERTIFICATE_ISSUER
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
+OID 2.5.29.30
+TAG id-ce-nameConstraints
+EXPL "Certificate Name Constraints"
+NAME NSS_OID_X509_NAME_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
+OID 2.5.29.31
+TAG id-ce-cRLDistributionPoints
+EXPL "CRL Distribution Points"
+NAME NSS_OID_X509_CRL_DIST_POINTS
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
+OID 2.5.29.32
+TAG id-ce-certificatePolicies
+EXPL "Certificate Policies"
+NAME NSS_OID_X509_CERTIFICATE_POLICIES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
+OID 2.5.29.33
+TAG id-ce-policyMappings
+EXPL "Certificate Policy Mappings"
+NAME NSS_OID_X509_POLICY_MAPPINGS
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.5.29.34
+TAG policy-constraints
+EXPL "Certificate Policy Constraints (old)"
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
+OID 2.5.29.35
+TAG id-ce-authorityKeyIdentifier
+EXPL "Certificate Authority Key Identifier"
+NAME NSS_OID_X509_AUTH_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
+OID 2.5.29.36
+TAG id-ce-policyConstraints
+EXPL "Certificate Policy Constraints"
+NAME NSS_OID_X509_POLICY_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+OID 2.5.29.37
+TAG id-ce-extKeyUsage
+EXPL "Extended Key Usage"
+NAME NSS_OID_X509_EXT_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+
+OID 2.5.30
+TAG id-mgt
+EXPL "X.500 Management Object"
+
+OID 2.6
+TAG x400
+EXPL "X.400 MHS"
+
+OID 2.7
+TAG ccr
+EXPL "Committment, Concurrency and Recovery"
+
+OID 2.8
+TAG oda
+EXPL "Office Document Architecture"
+
+OID 2.9
+TAG osi-management
+EXPL "OSI management"
+
+OID 2.10
+TAG tp
+EXPL "Transaction Processing"
+
+OID 2.11
+TAG dor
+EXPL "Distinguished Object Reference"
+
+OID 2.12
+TAG rdt
+EXPL "Referenced Data Transfer"
+
+OID 2.13
+TAG nlm
+EXPL "Network Layer Management"
+
+OID 2.14
+TAG tlm
+EXPL "Transport Layer Management"
+
+OID 2.15
+TAG llm
+EXPL "Link Layer Management"
+
+OID 2.16
+TAG country
+EXPL "Country Assignments"
+
+OID 2.16.124 
+TAG canada
+EXPL "Canada"
+
+OID 2.16.158
+TAG taiwan
+EXPL "Taiwan"
+
+OID 2.16.578 
+TAG norway
+EXPL "Norway"
+
+OID 2.16.756 
+TAG switzerland
+EXPL "Switzerland"
+
+OID 2.16.840 
+TAG us
+EXPL "United States"
+
+OID 2.16.840.1 
+TAG us-company
+EXPL "United States Company"
+
+OID 2.16.840.1.101 
+TAG us-government
+EXPL "United States Government (1.101)"
+
+OID 2.16.840.1.101.2 
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 2.16.840.1.101.2.1 
+TAG id-infosec
+EXPL "US DOD Infosec"
+
+OID 2.16.840.1.101.2.1.0 
+TAG id-modules
+EXPL "US DOD Infosec modules"
+
+OID 2.16.840.1.101.2.1.1 
+TAG id-algorithms
+EXPL "US DOD Infosec algorithms (MISSI)"
+
+OID 2.16.840.1.101.2.1.1.2  
+TAG old-dss
+EXPL "MISSI DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_DSS_OLD
+
+# This is labeled as "### mwelch temporary"
+# Is it official?? XXX fgmr
+OID 2.16.840.1.101.2.1.1.4
+TAG skipjack-cbc-64
+EXPL "Skipjack CBC64"
+NAME NSS_OID_FORTEZZA_SKIPJACK
+CKM CKM_SKIPJACK_CBC64
+
+OID 2.16.840.1.101.2.1.1.10
+TAG kea
+EXPL "MISSI KEA Algorithm"
+NAME NSS_OID_MISSI_KEA
+
+OID 2.16.840.1.101.2.1.1.12
+TAG old-kea-dss
+EXPL "MISSI KEA and DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_KEA_DSS_OLD
+
+OID 2.16.840.1.101.2.1.1.19
+TAG dss
+EXPL "MISSI DSS Algorithm"
+NAME NSS_OID_MISSI_DSS
+
+OID 2.16.840.1.101.2.1.1.20
+TAG kea-dss
+EXPL "MISSI KEA and DSS Algorithm"
+NAME NSS_OID_MISSI_KEA_DSS
+
+OID 2.16.840.1.101.2.1.1.22
+TAG alt-kea
+EXPL "MISSI Alternate KEA Algorithm"
+NAME NSS_OID_MISSI_ALT_KEY
+
+OID 2.16.840.1.101.2.1.2 
+TAG id-formats
+EXPL "US DOD Infosec formats"
+
+OID 2.16.840.1.101.2.1.3 
+TAG id-policy
+EXPL "US DOD Infosec policy"
+
+OID 2.16.840.1.101.2.1.4 
+TAG id-object-classes
+EXPL "US DOD Infosec object classes"
+
+OID 2.16.840.1.101.2.1.5 
+TAG id-attributes
+EXPL "US DOD Infosec attributes"
+
+OID 2.16.840.1.101.2.1.6 
+TAG id-attribute-syntax
+EXPL "US DOD Infosec attribute syntax"
+
+OID 2.16.840.1.113730 
+# The Netscape OID space
+TAG netscape
+EXPL "Netscape Communications Corp."
+
+OID 2.16.840.1.113730.1
+TAG cert-ext
+EXPL "Netscape Cert Extensions"
+
+OID 2.16.840.1.113730.1.1
+TAG cert-type
+EXPL "Certificate Type"
+NAME NSS_OID_NS_CERT_EXT_CERT_TYPE
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.2
+TAG base-url
+EXPL "Certificate Extension Base URL"
+NAME NSS_OID_NS_CERT_EXT_BASE_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.3
+TAG revocation-url
+EXPL "Certificate Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.4
+TAG ca-revocation-url
+EXPL "Certificate Authority Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.5
+TAG ca-crl-download-url
+EXPL "Certificate Authority CRL Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CRL_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.6
+TAG ca-cert-url
+EXPL "Certificate Authority Certificate Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CERT_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.7
+TAG renewal-url
+EXPL "Certificate Renewal URL"
+NAME NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.8
+TAG ca-policy-url
+EXPL "Certificate Authority Policy URL"
+NAME NSS_OID_NS_CERT_EXT_CA_POLICY_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.9
+TAG homepage-url
+EXPL "Certificate Homepage URL"
+NAME NSS_OID_NS_CERT_EXT_HOMEPAGE_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.10
+TAG entity-logo
+EXPL "Certificate Entity Logo"
+NAME NSS_OID_NS_CERT_EXT_ENTITY_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.11
+TAG user-picture
+EXPL "Certificate User Picture"
+NAME NSS_OID_NS_CERT_EXT_USER_PICTURE
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.12
+TAG ssl-server-name
+EXPL "Certificate SSL Server Name"
+NAME NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.13
+TAG comment
+EXPL "Certificate Comment"
+NAME NSS_OID_NS_CERT_EXT_COMMENT
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.14
+TAG thayes
+EXPL ""
+NAME NSS_OID_NS_CERT_EXT_THAYES
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.2
+TAG data-type
+EXPL "Netscape Data Types"
+
+OID 2.16.840.1.113730.2.1 
+TAG gif
+EXPL "image/gif"
+NAME NSS_OID_NS_TYPE_GIF
+
+OID 2.16.840.1.113730.2.2 
+TAG jpeg
+EXPL "image/jpeg"
+NAME NSS_OID_NS_TYPE_JPEG
+
+OID 2.16.840.1.113730.2.3 
+TAG url
+EXPL "URL"
+NAME NSS_OID_NS_TYPE_URL
+
+OID 2.16.840.1.113730.2.4 
+TAG html
+EXPL "text/html"
+NAME NSS_OID_NS_TYPE_HTML
+
+OID 2.16.840.1.113730.2.5 
+TAG cert-sequence
+EXPL "Certificate Sequence"
+NAME NSS_OID_NS_TYPE_CERT_SEQUENCE
+
+OID 2.16.840.1.113730.3
+# The Netscape Directory OID space
+TAG directory
+EXPL "Netscape Directory"
+
+OID 2.16.840.1.113730.4
+TAG policy
+EXPL "Netscape Policy Type OIDs"
+
+OID 2.16.840.1.113730.4.1
+TAG export-approved
+EXPL "Strong Crypto Export Approved"
+NAME NSS_OID_NS_KEY_USAGE_GOVT_APPROVED
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.5
+TAG cert-server
+EXPL "Netscape Certificate Server"
+
+OID 2.16.840.1.113730.5.1
+
+OID 2.16.840.1.113730.5.1.1
+TAG recovery-request
+EXPL "Netscape Cert Server Recovery Request"
+NAME NSS_OID_NETSCAPE_RECOVERY_REQUEST
+
+OID 2.16.840.1.113730.6
+TAG algs
+EXPL "Netscape algorithm OIDs"
+
+OID 2.16.840.1.113730.6.1
+TAG smime-kea
+EXPL "Netscape S/MIME KEA"
+NAME NSS_OID_NETSCAPE_SMIME_KEA
+
+OID 2.16.840.1.113730.7
+TAG name-components
+EXPL "Netscape Name Components"
+
+OID 2.16.840.1.113730.7.1
+TAG nickname
+EXPL "Netscape Nickname"
+NAME NSS_OID_NETSCAPE_NICKNAME
+
+OID 2.16.840.1.113733 
+TAG verisign
+EXPL "Verisign"
+
+OID 2.16.840.1.113733.1
+
+OID 2.16.840.1.113733.1.7
+
+OID 2.16.840.1.113733.1.7.1
+
+OID 2.16.840.1.113733.1.7.1.1
+TAG verisign-user-notices
+EXPL "Verisign User Notices"
+NAME NSS_OID_VERISIGN_USER_NOTICES
+
+OID 2.16.840.101 
+TAG us-government
+EXPL "US Government (101)"
+
+OID 2.16.840.102 
+TAG us-government2
+EXPL "US Government (102)"
+ 
+OID 2.16.840.11370 
+TAG old-netscape
+EXPL "Netscape Communications Corp. (Old)"
+
+OID 2.16.840.11370.1 
+TAG ns-cert-ext
+EXPL "Netscape Cert Extensions (Old NS)"
+
+OID 2.16.840.11370.1.1 
+TAG netscape-ok
+EXPL "Netscape says this cert is ok (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_NETSCAPE_OK
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.2
+TAG issuer-logo
+EXPL "Certificate Issuer Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_ISSUER_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.3
+TAG subject-logo
+EXPL "Certificate Subject Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_SUBJECT_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.2 
+TAG ns-file-type
+EXPL "Netscape File Type"
+
+OID 2.16.840.11370.3 
+TAG ns-image-type
+EXPL "Netscape Image Type"
+
+OID 2.17
+TAG registration-procedures
+EXPL "Registration procedures"
+
+OID 2.18
+TAG physical-layer-management
+EXPL "Physical layer Management"
+
+OID 2.19
+TAG mheg
+EXPL "MHEG"
+
+OID 2.20
+TAG guls
+EXPL "Generic Upper Layer Security"
+
+OID 2.21
+TAG tls
+EXPL "Transport Layer Security Protocol"
+
+OID 2.22
+TAG nls
+EXPL "Network Layer Security Protocol"
+
+OID 2.23
+TAG organization
+EXPL "International organizations"
diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h
new file mode 100644
index 000000000..62049efcc
--- /dev/null
+++ b/security/nss/lib/pki1/pki1.h
@@ -0,0 +1,3032 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKI1_H
+#define PKI1_H
+
+#ifdef DEBUG
+static const char PKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pki1.h
+ *
+ * This file contains the prototypes to the non-public NSS routines
+ * relating to the PKIX part-1 objects.
+ */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+#ifndef NSSPKI1_H
+#include "nsspki1.h"
+#endif /* NSSPKI1_H */
+
+PR_BEGIN_EXTERN_C
+
+/* fgmr 19990505 moved these here from oiddata.h */
+extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
+extern const PRUint32 nss_attribute_type_alias_count;
+
+/*
+ * NSSOID
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_UTF8;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid poitner to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const char *
+nssOID_getExplanation
+(
+  NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
+
+/*
+ * NSSATAV
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+);
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+);
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+);
+#endif /* DEBUG */
+
+/*
+ * NSSRDN
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDN_CreateFromBER   -- constructor
+ *  nssRDN_CreateFromUTF8  -- constructor
+ *  nssRDN_Create          -- constructor
+ *  nssRDN_CreateSimple    -- constructor
+ *
+ *  nssRDN_Destroy
+ *  nssRDN_GetDEREncoding
+ *  nssRDN_GetUTF8Encoding
+ *  nssRDN_AddATAV
+ *  nssRDN_GetATAVCount
+ *  nssRDN_GetATAV
+ *  nssRDN_GetSimpleATAV
+ *  nssRDN_Compare
+ *  nssRDN_Duplicate
+ */
+
+/*
+ * nssRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * nssRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * nssRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * nssRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+nssRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDNSeq_CreateFromBER   -- constructor
+ *  nssRDNSeq_CreateFromUTF8  -- constructor
+ *  nssRDNSeq_Create          -- constructor
+ *
+ *  nssRDNSeq_Destroy
+ *  nssRDNSeq_GetDEREncoding
+ *  nssRDNSeq_GetUTF8Encoding
+ *  nssRDNSeq_AppendRDN
+ *  nssRDNSeq_GetRDNCount
+ *  nssRDNSeq_GetRDN
+ *  nssRDNSeq_Compare
+ *  nssRDNSeq_Duplicate
+ *
+ *  nssRDNSeq_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * nssRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * nssRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * nssRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error upon the error stack.  Note
+ * that the usual UTF8 representation of RDN Sequences is from last
+ * to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an RDNSeq.  This 
+ * routine is used by the (directory) Name routines 
+ * nssName_CreateFromUTF8 and nssName_EvaluateUTF8 to determine which
+ * choice of directory name the string may encode.  This routine may 
+ * return PR_FALSE upon error, but it subsumes that condition under the
+ * general "string does not evaluate as an RDNSeq" state, and does not
+ * set an error on the error stack.
+ *
+ * Return value:
+ *  PR_TRUE if the string represents an RDNSeq
+ *  PR_FALSE if otherwise
+ */
+
+NSS_EXTERN PRBool
+nssRDNSeq_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssName_CreateFromBER   -- constructor
+ * nssName_CreateFromUTF8  -- constructor
+ * nssName_Create          -- constructor
+ *
+ * nssName_Destroy
+ * nssName_GetDEREncoding
+ * nssName_GetUTF8Encoding
+ * nssName_GetChoice
+ * nssName_GetRDNSequence
+ * nssName_GetSpecifiedChoice
+ * nssName_Compare
+ * nssName_Duplicate
+ *
+ * nssName_GetUID
+ * nssName_GetEmail
+ * nssName_GetCommonName
+ * nssName_GetOrganization
+ * nssName_GetOrganizationalUnits
+ * nssName_GetStateOrProvince
+ * nssName_GetLocality
+ * nssName_GetCountry
+ * nssName_GetAttribute
+ *
+ * nssName_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * nssName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * nssName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+nssName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+nssName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * nssName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+nssName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an NSSName.  This 
+ * routine is used by the GeneralName routine 
+ * nssGeneralName_CreateFromUTF8 to determine which choice of
+ * general name the string may encode.  This routine may return 
+ * PR_FALSE upon error, but it subsumes that condition under the 
+ * general "string does not evaluate as a Name" state, and does not
+ * set an error on the error stack.
+ * 
+ * Return value:
+ *  PR_TRUE if the string represents a Name
+ *  PR_FALSE otherwise
+ */
+
+NSS_EXTERN PRBool
+nssName_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssGeneralName_CreateFromBER   -- constructor
+ * nssGeneralName_CreateFromUTF8  -- constructor
+ * nssGeneralName_Create          -- constructor
+ *
+ * nssGeneralName_Destroy
+ * nssGeneralName_GetDEREncoding
+ * nssGeneralName_GetUTF8Encoding
+ * nssGeneralName_GetChoice
+ * nssGeneralName_GetOtherName
+ * nssGeneralName_GetRfc822Name
+ * nssGeneralName_GetDNSName
+ * nssGeneralName_GetX400Address
+ * nssGeneralName_GetDirectoryName
+ * nssGeneralName_GetEdiPartyName
+ * nssGeneralName_GetUniformResourceIdentifier
+ * nssGeneralName_GetIPAddress
+ * nssGeneralName_GetRegisteredID
+ * nssGeneralName_GetSpecifiedChoice
+ * nssGeneralName_Compare
+ * nssGeneralName_Duplicate
+ *
+ * nssGeneralName_GetUID
+ * nssGeneralName_GetEmail
+ * nssGeneralName_GetCommonName
+ * nssGeneralName_GetOrganization
+ * nssGeneralName_GetOrganizationalUnits
+ * nssGeneralName_GetStateOrProvince
+ * nssGeneralName_GetLocality
+ * nssGeneralName_GetCountry
+ * nssGeneralName_GetAttribute
+ */
+
+/*
+ * nssGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * nssGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * nssGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+nssGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+nssGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+nssGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+nssGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+nssGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+nssGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+nssGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+nssGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+nssGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+nssGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  nssGeneralNameSeq_CreateFromBER   -- constructor
+ *  nssGeneralNameSeq_Create          -- constructor
+ *
+ *  nssGeneralNameSeq_Destroy
+ *  nssGeneralNameSeq_GetDEREncoding
+ *  nssGeneralNameSeq_AppendGeneralName
+ *  nssGeneralNameSeq_GetGeneralNameCount
+ *  nssGeneralNameSeq_GetGeneralName
+ *  nssGeneralNameSeq_Compare
+ *  nssGeneralnameSeq_Duplicate
+ */
+
+/*
+ * nssGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * nssGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will set an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKI1_H */
diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h
new file mode 100644
index 000000000..de6e5c835
--- /dev/null
+++ b/security/nss/lib/pki1/pki1t.h
@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKI1T_H
+#define PKI1T_H
+
+#ifdef DEBUG
+static const char PKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pki1t.h
+ *
+ * This file contains definitions for the types used in the PKIX part-1
+ * code, but not available publicly.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * This structure is used to hold our internal table of built-in OID
+ * data.  The fields are as follows:
+ *
+ *  NSSItem     data -- this is the actual DER-encoded multinumber oid
+ *  const char *expl -- this explains the derivation, and is checked
+ *                      in a unit test.  While the field always exists,
+ *                      it is only populated or used in debug builds.
+ *
+ */
+
+struct NSSOIDStr {
+#ifdef DEBUG
+  const NSSUTF8 *tag;
+  const NSSUTF8 *expl;
+#endif /* DEBUG */
+  NSSItem data;
+};
+
+/*
+ * nssAttributeTypeAliasTable
+ *
+ * Attribute types are passed around as oids (at least in the X.500
+ * and PKI worlds, as opposed to ldap).  However, when written as 
+ * strings they usually have well-known aliases, e.g., "ou" or "c."
+ *
+ * This type defines a table, populated in the generated oiddata.c
+ * file, of the aliases we recognize.
+ *
+ * The fields are as follows:
+ *
+ *  NSSUTF8 *alias -- a well-known string alias for an oid
+ *  NSSOID  *oid   -- the oid to which the alias corresponds
+ *
+ */
+
+struct nssAttributeTypeAliasTableStr {
+  const NSSUTF8 *alias;
+  const NSSOID **oid;
+};
+typedef struct nssAttributeTypeAliasTableStr nssAttributeTypeAliasTable;
+
+PR_END_EXTERN_C
+
+#endif /* PKI1T_H */
diff --git a/security/nss/lib/pki1/rdn.c b/security/nss/lib/pki1/rdn.c
new file mode 100644
index 000000000..f778de22c
--- /dev/null
+++ b/security/nss/lib/pki1/rdn.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * rdn.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RelativeDistinguishedName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RelativeDistinguishedName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RelativeDistinguishedName       ::=
+ *                  SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ * An RDN is merely an (unordered) set of ATAV's.  The setSize (that's
+ * a noun, not a verb) variable is a "helper" variable kept for
+ * convenience.
+ */
+
+struct nssRDNStr {
+  PRUint32 setSize;
+  NSSATAV **atavs;
+};
diff --git a/security/nss/lib/pki1/rdnseq.c b/security/nss/lib/pki1/rdnseq.c
new file mode 100644
index 000000000..bbd4dfe4b
--- /dev/null
+++ b/security/nss/lib/pki1/rdnseq.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * rdnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RDNSequence.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RDNSequence
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ * An RDNSequence is simply an (ordered) sequence of RDN's.  The 
+ * seqSize variable is a "helper" kept for simplicity.
+ */
+
+struct nssRDNSeqStr {
+  PRUint32 seqSize;
+  NSSRDN **rdns;
+};